diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2017-04-20 16:10:24 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-04-20 16:10:24 -0700 |
| commit | ddc8181a4632cd6e53dcffc1bee85196a608dfb4 (patch) | |
| tree | 6727bacbbbc55c3776482bc565e0690a733f10ed | |
| parent | 68ddf4f0c2eec13613c4f3051651b02b2a93a7bd (diff) | |
| parent | fd70b655d901e626403f132b65fc03d993f0a09b (diff) | |
Merge "msm: camera: isp: add bound check to handle array out of access"
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 | ||||
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c index b9b0f3f0d5f3..63e46125c292 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c @@ -3953,6 +3953,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) &update_cmd->req_frm_ver2; stream_info = msm_isp_get_stream_common_data(vfe_dev, HANDLE_TO_IDX(req_frm->stream_handle)); + if (stream_info == NULL) { + pr_err_ratelimited("%s: stream_info is NULL\n", + __func__); + rc = -EINVAL; + break; + } rc = msm_isp_request_frame(vfe_dev, stream_info, req_frm->user_stream_id, req_frm->frame_id, diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h index 65009cb22286..a8d4cfb43927 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h @@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data( struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data; struct msm_vfe_axi_stream *stream_info; + if (stream_idx >= VFE_AXI_SRC_MAX) { + pr_err("invalid stream_idx %d\n", stream_idx); + return NULL; + } + if (vfe_dev->is_split && stream_idx < RDI_INTF_0) stream_info = &common_data->streams[stream_idx]; else |