Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a0cafdd2 authored by Chinmay Sawarkar's avatar Chinmay Sawarkar Committed by Gerrit - the friendly Code Review server
Browse files

msm: vidc: Fix use after free bug in set_output_buffers 



When set_buffers fails, binfo is freed and again accessed
while freeing smem memory.

CRs-Fixed: 2118860
Change-Id: Ifdd683f907862665e34d6d39d5a8634984804c01
Signed-off-by: default avatarChinmay Sawarkar <chinmays@codeaurora.org>
Signed-off-by: default avatarSanjay Singh <sisanj@codeaurora.org>
parent d47fcab7

drivers/media/platform/msm/vidc/msm_vidc_common.c

+3 −3
Original line number Diff line number Diff line
@@ -3032,7 +3032,7 @@ static int set_output_buffers(struct msm_vidc_inst *inst, 
{

	int rc = 0;

	struct msm_smem *handle;

	struct internal_buf *binfo;

	struct internal_buf *binfo = NULL;

	u32 smem_flags = 0, buffer_size;

	struct hal_buffer_requirements *output_buf, *extradata_buf;

	int i;
@@ -3138,10 +3138,10 @@ static int set_output_buffers(struct msm_vidc_inst *inst, 
	}

	return rc;

fail_set_buffers:

	kfree(binfo);

fail_kzalloc:

	msm_comm_smem_free(inst, handle);

err_no_mem:

	kfree(binfo);

fail_kzalloc:

	return rc;

}