msm_vidc: Add checks to avoid OOB access(refined)

validate structures and payload sizes in the packet against packet size to avoid OOB access. Change-Id: I8a203a81506f603c2e37c1b2a780d3088e6933be Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
author: Sanjay Singh <sisanj@codeaurora.org> 2019-09-25 22:43:31 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2019-09-27 23:12:47 -0700
commit: 7a117f98b5fbd7726aed973448051fe71855be70 (patch)
tree: 8b8ee56e1f8d77ec2857c1c83337d37967b28621
parent: cbc9a41bff6ef49da199f8c84db2485f072a45ee (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/vidc/hfi_response_handler.c b/drivers/media/platform/msm/vidc/hfi_response_handler.c
index ec55bc7b0d89..d3a7e4ce06b7 100644
--- a/drivers/media/platform/msm/vidc/hfi_response_handler.c
+++ b/drivers/media/platform/msm/vidc/hfi_response_handler.c
@@ -1006,6 +1006,9 @@ static enum vidc_status hfi_parse_init_done_properties(
 			}
 			while (prof_count) {
 				prof_level = (struct hfi_profile_level *)ptr;
+				VALIDATE_PROPERTY_STRUCTURE_SIZE(rem_bytes -
+					next_offset,
+					sizeof(*prof_level));
 				capability.
 				profile_level.profile_level[count].profile
 					= prof_level->profile;
author	Sanjay Singh <sisanj@codeaurora.org>	2019-09-25 22:43:31 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2019-09-27 23:12:47 -0700
commit	7a117f98b5fbd7726aed973448051fe71855be70 (patch)
tree	8b8ee56e1f8d77ec2857c1c83337d37967b28621
parent	cbc9a41bff6ef49da199f8c84db2485f072a45ee (diff)