diff options
| author | Pratap Nirujogi <pratapn@codeaurora.org> | 2017-02-20 17:29:33 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-03-02 02:02:24 -0800 |
| commit | b5ac2b42fdd2fffc9d887f43491715d2f733497f (patch) | |
| tree | d6f86674e3cefd2ea05a21900abb072f9b4c3b72 | |
| parent | 81eef00c6735412494d82607be1f1aaa2cb3c616 (diff) | |
msm: camera: cpp: Fixing Heap overflow in output buffer
Issue:
Missing bound check when writing into the output array
buffer, which can lead to out-of-bound heap write.
Fix:
Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT
macro and size check to the place where the array is
accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT.
Caller will return -EINVAL for '0'.
Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f
CRs-Fixed: 2004036
Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 2 | ||||
| -rw-r--r-- | include/uapi/media/msmb_pproc.h | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c index 064c1e8c5bab..08aab077eec7 100644 --- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c +++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c @@ -2116,6 +2116,8 @@ static int msm_cpp_check_buf_type(struct msm_buf_mngr_info *buff_mgr_info, /* More or equal bufs as Input buffer */ num_output_bufs = new_frame->batch_info.batch_size; } + if (num_output_bufs > MSM_OUTPUT_BUF_CNT) + return 0; for (i = 0; i < num_output_bufs; i++) { new_frame->output_buffer_info[i].index = buff_mgr_info->user_buf.buf_idx[i]; diff --git a/include/uapi/media/msmb_pproc.h b/include/uapi/media/msmb_pproc.h index b65669b87a21..8f454571e69d 100644 --- a/include/uapi/media/msmb_pproc.h +++ b/include/uapi/media/msmb_pproc.h @@ -16,6 +16,7 @@ #define MSM_CPP_MAX_FRAME_LENGTH 4096 #define MSM_CPP_MAX_FW_NAME_LEN 32 #define MAX_FREQ_TBL 10 +#define MSM_OUTPUT_BUF_CNT 8 enum msm_cpp_frame_type { MSM_CPP_OFFLINE_FRAME, @@ -76,7 +77,7 @@ struct msm_cpp_frame_info_t { uint32_t feature_mask; uint8_t we_disable; struct msm_cpp_buffer_info_t input_buffer_info; - struct msm_cpp_buffer_info_t output_buffer_info[8]; + struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT]; struct msm_cpp_buffer_info_t duplicate_buffer_info; struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2]; uint32_t reserved; |