Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit df512d13 authored by Senthil Kumar Rajagopal's avatar Senthil Kumar Rajagopal Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: isp: Handle array out of bounds 



The pointer qbuf_buf comes from userspace.
qbuf_buf->num_planes is used with no bound check,
which if set to a large value, it will overflow
buf_info->mapped_info and qbuf_buf->planes

CRs-Fixed: 2003798

Change-Id: I332e0424e57bb14b481a740604a09350e6f029a8
Signed-off-by: default avatarSenthil Kumar Rajagopal <skrajago@codeaurora.org>
parent 9dbf9c2b

drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c

+13 −1
Original line number Diff line number Diff line 
/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.

/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -190,6 +190,12 @@ static int msm_isp_prepare_v4l2_buf(struct msm_isp_buf_mgr *buf_mgr, 
	struct msm_isp_buffer_mapped_info *mapped_info;

	uint32_t accu_length = 0;



	if (qbuf_buf->num_planes > MAX_PLANES_PER_STREAM) {

		pr_err("%s: Invalid num_planes %d , stream id %x\n",

			__func__, qbuf_buf->num_planes, stream_id);

		return -EINVAL;

	}



	for (i = 0; i < qbuf_buf->num_planes; i++) {

		mapped_info = &buf_info->mapped_info[i];

		mapped_info->buf_fd = qbuf_buf->planes[i].addr;
@@ -234,6 +240,12 @@ static void msm_isp_unprepare_v4l2_buf( 
		return;

	}



	if (buf_info->num_planes > VIDEO_MAX_PLANES) {

		pr_err("%s: Invalid num_planes %d , stream id %x\n",

			__func__, buf_info->num_planes, stream_id);

		return;

	}



	bufq = msm_isp_get_bufq(buf_mgr, buf_info->bufq_handle);

	if (!bufq) {

		pr_err("%s: Invalid bufq, stream id %x\n",