msm: isp: fix for potentitial array out of bound access

There is no bound check on dual_hw_ms_cmd->num_src,
which is coming from userspace
num_src is used as the limit for the for loop.
The max num_src can hold is 255 (type uint8_t).
This implies that i can go upto to 254.
However dual_hw_ms_cmd->input_src can only hold 5 bytes.
So, we may acces out of bound array.

CRs-Fixed: 2006169

Change-Id: If5927e06e70cce4afb0ae9f2cdfec80f76f83771
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>

1 files changed, 7 insertions, 0 deletions

diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
index df9691be0c28..fb3a962d15ca 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
@@ -630,6 +630,13 @@ static int msm_isp_set_dual_HW_master_slave_mode(
 	}
 	ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id,
 		dual_hw_ms_cmd->num_src);
+	if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) {
+		pr_err("%s: Error! Invalid num_src %d\n", __func__,
+			dual_hw_ms_cmd->num_src);
+		spin_unlock_irqrestore(&vfe_dev->common_data->
+			common_dev_data_lock, flags);
+		return -EINVAL;
+	}
 	/* This for loop is for non-primary intf to be marked with Master/Slave
 	 * in order for frame id sync. But their timestamp is not saved.
 	 * So no sof_info resource is allocated */