Merge "msm: camera2: cpp: Fix out-of-bounds frame or command buffer access"

		return -EINVAL;

	}

	if (stripe_base == UINT_MAX || new_frame->num_strips >

		(UINT_MAX - 1 - stripe_base) / stripe_size) {

	/* Stripe index starts at zero */

	if ((!new_frame->num_strips) ||

		(new_frame->first_stripe_index >= new_frame->num_strips) ||

		(new_frame->last_stripe_index  >= new_frame->num_strips) ||

		(new_frame->first_stripe_index >

			new_frame->last_stripe_index)) {

		pr_err("Invalid frame message, #stripes=%d, stripe indices=[%d,%d]\n",

			new_frame->num_strips,

			new_frame->first_stripe_index,

			new_frame->last_stripe_index);

		return -EINVAL;

	}

	if (!stripe_size) {

		pr_err("Invalid frame message, invalid stripe_size (%d)!\n",

			stripe_size);

		return -EINVAL;

	}

	if ((stripe_base == UINT_MAX) ||

		(new_frame->num_strips >

			(UINT_MAX - 1 - stripe_base) / stripe_size)) {

		pr_err("Invalid frame message, num_strips %d is large\n",

			new_frame->num_strips);

		return -EINVAL;

	struct msm_cpp_frame_info_t *frame = NULL;

	struct msm_cpp_frame_info_t k_frame_info;

	int32_t rc = 0;

	int32_t i = 0;

	int32_t num_buff = sizeof(k_frame_info.output_buffer_info)/

	uint32_t i = 0;

	uint32_t num_buff = sizeof(k_frame_info.output_buffer_info) /

				sizeof(struct msm_cpp_buffer_info_t);

	if (copy_from_user(&k_frame_info,

			(void __user *)ioctl_ptr->ioctl_ptr,

			sizeof(k_frame_info)))