Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9eeca142 authored by Trishansh Bhardwaj's avatar Trishansh Bhardwaj Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: Fix memory read by adding bounds check 



Adds bound check on reg_cfg_cmd->u.dmi_info.hi_tbl_offset.

IOCTL VIDIOC_MSM_VFE_REG_CFG uses usersupplied value without
performing bounds check for following cmd_type.
VFE_READ_DMI_16BIT
VFE_READ_DMI_32BIT
VFE_READ_DMI_64BIT

Change-Id: I554c45ef3a172f5b5891b67a7e8e7a1f3f3882ed
Signed-off-by: default avatarTrishansh Bhardwaj <tbhardwa@codeaurora.org>
parent ad8cf1bb

drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c

+2 −1
Original line number Diff line number Diff line
@@ -1003,7 +1003,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev, 
	case VFE_READ_DMI_16BIT:

	case VFE_READ_DMI_32BIT:

	case VFE_READ_DMI_64BIT: {

		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {

		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT ||

			reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {

			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=

				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||

				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -