Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cf0a5f4c authored by Senthil Kumar Rajagopal's avatar Senthil Kumar Rajagopal Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: isp: Handle array out of bound access. 



The pointer req_frm is coming from userspace,
It may overflow stream_info.
Adding a bound check to prevent the same.
CRs-fixed: 2008683

Change-Id: I098df899324a8d5561a5754330b89e532ba8d5d8
Signed-off-by: default avatarSenthil Kumar Rajagopal <skrajago@codeaurora.org>
parent 0a56af85

drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c

+5 −0
Original line number Diff line number Diff line
@@ -3807,6 +3807,11 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) 
	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {

		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =

			&update_cmd->req_frm_ver2;

		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {

			pr_err("%s: Invalid stream handle\n", __func__);

			rc = -EINVAL;

			break;

		}

		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(

				req_frm->stream_handle)];

		rc = msm_isp_request_frame(vfe_dev, stream_info,