msm: vidc: Fix possible out of bound array access

Fix possible out of bound array access by
putting bounds check in __map_and_update_binfo.
Use u32 to access array to simplify bounds check.

Change-Id: I127fdc76fc273c0bcca727e9264a1d0f208dac1b
Signed-off-by: Surajit Podder <spodder@codeaurora.org>

1 files changed, 13 insertions, 4 deletions

diff --git a/drivers/media/platform/msm/vidc/msm_vidc.c b/drivers/media/platform/msm/vidc/msm_vidc.c
index de4705c3d2eb..3677bb6e32e6 100644
--- a/drivers/media/platform/msm/vidc/msm_vidc.c
+++ b/drivers/media/platform/msm/vidc/msm_vidc.c
@@ -533,11 +533,18 @@ static inline void save_v4l2_buffer(struct v4l2_buffer *b,
 
 static int __map_and_update_binfo(struct msm_vidc_inst *inst,
 					struct buffer_info *binfo,
-					struct v4l2_buffer *b, int i)
+					struct v4l2_buffer *b, u32 i)
 {
 	int rc = 0;
 	struct msm_smem *same_fd_handle = NULL;
 
+	if (i >= VIDEO_MAX_PLANES) {
+		dprintk(VIDC_ERR, "Num planes exceeds max: %d, %d\n",
+			i, VIDEO_MAX_PLANES);
+		rc = -EINVAL;
+		goto exit;
+	}
+
 	same_fd_handle = get_same_fd_buffer(
 			inst, b->m.planes[i].reserved[0]);
 
@@ -558,6 +565,7 @@ static int __map_and_update_binfo(struct msm_vidc_inst *inst,
 		b->m.planes[i].m.userptr = binfo->device_addr[i];
 	}
 
+exit:
 	return rc;
 }
 
@@ -565,7 +573,8 @@ static int __handle_fw_referenced_buffers(struct msm_vidc_inst *inst,
 					struct buffer_info *binfo,
 					struct v4l2_buffer *b)
 {
-	int i = 0, rc = 0;
+	int rc = 0;
+	u32 i = 0;
 
 	if (EXTRADATA_IDX(b->length)) {
 		i = EXTRADATA_IDX(b->length);
@@ -583,8 +592,8 @@ int map_and_register_buf(struct msm_vidc_inst *inst, struct v4l2_buffer *b)
 {
 	struct buffer_info *binfo = NULL;
 	struct buffer_info *temp = NULL, *iterator = NULL;
-	int plane = 0;
-	int i = 0, rc = 0;
+	int plane = 0, rc = 0;
+	u32 i = 0;
 
 	if (!b || !inst) {
 		dprintk(VIDC_ERR, "%s: invalid input\n", __func__);