msm: camera: isp: Handle array out of bound access

The index obtained from pointer req_frm can lead to indexing stream_info beyond its boundary. Therefore, a bound check has been included to avoid this. CRs-fixed: 2008683 Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4 Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org> Signed-off-by: Terence Ho <terenceh@codeaurora.org> Signed-off-by: Andy Sun <bins@codeaurora.org>
author: Sriraj Hebbar <srirajh@qti.qualcomm.com> 2017-06-30 13:14:28 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-07-17 03:45:38 -0700
commit: 9e50d6c84d5f7f6d15f59f45ae39d811b49535bd (patch)
tree: 0224215b62988fee7f4bf4293f392b470b68238d
parent: 0530e3fe605fe7346495ba0cf467051f64169af2 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
index 373a963f75aa..a85ee30769c4 100644
--- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
+++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
 	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
 		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
 			&update_cmd->req_frm_ver2;
+		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
+			pr_err("%s: Invalid stream handle\n", __func__);
+			rc = -EINVAL;
+			break;
+		}
+
 		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
 				req_frm->stream_handle)];
 		rc = msm_isp_request_frame(vfe_dev, stream_info,
author	Sriraj Hebbar <srirajh@qti.qualcomm.com>	2017-06-30 13:14:28 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-07-17 03:45:38 -0700
commit	9e50d6c84d5f7f6d15f59f45ae39d811b49535bd (patch)
tree	0224215b62988fee7f4bf4293f392b470b68238d
parent	0530e3fe605fe7346495ba0cf467051f64169af2 (diff)