Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b90095d authored by Arun Menon's avatar Arun Menon
Browse files

msm: vidc: Fix out of bound access during memcpy 



When driver queries the profile-level information from the
firmware, it allocates a buffer size of sizeof(struct hal_profile_level)
and fills the firmware response in this structure. In the client
response handler, there is a memcpy of this buffer of
sizeof(union hal_get_property) to the client's buffer. This change
prevents the out of bound access.

Change-Id: Ibff9e591e9a06dbf40e912c48ccb1713f30c9022
Signed-off-by: default avatarArun Menon <avmenon@codeaurora.org>
parent 854262df

drivers/media/platform/msm/vidc/msm_vidc_common.c

+1 −1
Original line number Diff line number Diff line
@@ -981,7 +981,7 @@ static void handle_session_prop_info(enum hal_command_response cmd, void *data) 
	}



	getprop->data = kmemdup(&response->data.property,

			response->size, GFP_KERNEL);

			sizeof(union hal_get_property), GFP_KERNEL);

	if (!getprop->data) {

		dprintk(VIDC_ERR, "%s: kmemdup failed\n", __func__);

		kfree(getprop);