Merge "msm: cpp: Fix for integer overflow in cpp"

author: Linux Build Service Account <lnxbuild@localhost> 2017-01-07 23:00:03 -0800
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-01-07 23:00:03 -0800
commit: 082aa733d83ea21de10f4ad9fa2437bda0202298 (patch)
tree: d5f0be83d136ef19256bac9770844a899ceab30a
parent: 96f3cc94ddf3402d05000996d78a2fb6f35be838 (diff)
parent: 77c4aba67d89ba4055b7c9bd417f49593cba497b (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index 4527d6699b88..2c661fbcd83c 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -2479,7 +2479,7 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
 	struct msm_buf_mngr_info buff_mgr_info, dup_buff_mgr_info;
 	int32_t in_fd;
 	int32_t num_output_bufs = 1;
-	int32_t stripe_base = 0;
+	uint32_t stripe_base = 0;
 	uint32_t stripe_size;
 	uint8_t tnr_enabled;
 	enum msm_camera_buf_mngr_buf_type buf_type =
@@ -2514,6 +2514,13 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
 		return -EINVAL;
 	}
 
+	if (stripe_base == UINT_MAX || new_frame->num_strips >
+		(UINT_MAX - 1 - stripe_base) / stripe_size) {
+		pr_err("Invalid frame message,num_strips %d is large\n",
+			new_frame->num_strips);
+		return -EINVAL;
+	}
+
 	if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
 		new_frame->msg_len) {
 		pr_err("Invalid frame message,len=%d,expected=%d\n",
author	Linux Build Service Account <lnxbuild@localhost>	2017-01-07 23:00:03 -0800
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-01-07 23:00:03 -0800
commit	082aa733d83ea21de10f4ad9fa2437bda0202298 (patch)
tree	d5f0be83d136ef19256bac9770844a899ceab30a
parent	96f3cc94ddf3402d05000996d78a2fb6f35be838 (diff)
parent	77c4aba67d89ba4055b7c9bd417f49593cba497b (diff)