msm: mdss: Add plane_count limit check for mdss_rotator buffer

For each input and output buffer given to mdss rotator, it is necessary
to check the range of the plane_count value against the MAX_PLANES
definition, in order to avoid any plane array out of bound access.

CRs-Fixed: 2028681
Change-Id: I117bf5daead17e5e97c62c6dc8e21d1fcc9d8e74
Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>

1 files changed, 20 insertions, 0 deletions

diff --git a/drivers/video/fbdev/msm/mdss_rotator.c b/drivers/video/fbdev/msm/mdss_rotator.c
index fdd1c0153ce0..399a12e3dcc8 100644
--- a/drivers/video/fbdev/msm/mdss_rotator.c
+++ b/drivers/video/fbdev/msm/mdss_rotator.c
@@ -501,6 +501,12 @@ static int mdss_rotator_import_buffer(struct mdp_layer_buffer *buffer,
 
 	memset(planes, 0, sizeof(planes));
 
+	if (buffer->plane_count > MAX_PLANES) {
+		pr_err("buffer plane_count exceeds MAX_PLANES limit:%d\n",
+				buffer->plane_count);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < buffer->plane_count; i++) {
 		planes[i].memory_id = buffer->planes[i].fd;
 		planes[i].offset = buffer->planes[i].offset;
@@ -2104,6 +2110,20 @@ struct mdss_rot_entry_container *mdss_rotator_req_init(
 	struct mdss_rot_entry_container *req;
 	int size, i;
 
+	/*
+	 * Check input and output plane_count from each given item
+	 * are within the MAX_PLANES limit
+	 */
+	for (i = 0 ; i < count; i++) {
+		if ((items[i].input.plane_count > MAX_PLANES) ||
+				(items[i].output.plane_count > MAX_PLANES)) {
+			pr_err("Input/Output plane_count exceeds MAX_PLANES limit, input:%d, output:%d\n",
+					items[i].input.plane_count,
+					items[i].output.plane_count);
+			return ERR_PTR(-EINVAL);
+		}
+	}
+
 	size = sizeof(struct mdss_rot_entry_container);
 	size += sizeof(struct mdss_rot_entry) * count;
 	req = devm_kzalloc(&mgr->pdev->dev, size, GFP_KERNEL);