msm_vidc: Add checks to avoid OOB access(refined)

validate structures and payload sizes in the packet against packet size to avoid OOB access. Change-Id: I8a203a81506f603c2e37c1b2a780d3088e6933be Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
author: Sanjay Singh <sisanj@codeaurora.org> 2019-09-25 22:43:31 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2019-09-25 23:09:31 -0700
commit: afa865d588196d0c08121ab18eace16a64e2ede0 (patch)
tree: 2bc14da6ad93cb95748f382f17bd145c369ebc44
parent: b7cf9142baa124670542f730ceef988abfe4d196 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/vidc/hfi_response_handler.c b/drivers/media/platform/msm/vidc/hfi_response_handler.c
index ec55bc7b0d89..d3a7e4ce06b7 100644
--- a/drivers/media/platform/msm/vidc/hfi_response_handler.c
+++ b/drivers/media/platform/msm/vidc/hfi_response_handler.c
@@ -1006,6 +1006,9 @@ static enum vidc_status hfi_parse_init_done_properties(
 			}
 			while (prof_count) {
 				prof_level = (struct hfi_profile_level *)ptr;
+				VALIDATE_PROPERTY_STRUCTURE_SIZE(rem_bytes -
+					next_offset,
+					sizeof(*prof_level));
 				capability.
 				profile_level.profile_level[count].profile
 					= prof_level->profile;
author	Sanjay Singh <sisanj@codeaurora.org>	2019-09-25 22:43:31 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2019-09-25 23:09:31 -0700
commit	afa865d588196d0c08121ab18eace16a64e2ede0 (patch)
tree	2bc14da6ad93cb95748f382f17bd145c369ebc44
parent	b7cf9142baa124670542f730ceef988abfe4d196 (diff)