summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index b7724b4bf936..5be2748faf18 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -2479,7 +2479,7 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
struct msm_buf_mngr_info buff_mgr_info, dup_buff_mgr_info;
int32_t in_fd;
int32_t num_output_bufs = 1;
- int32_t stripe_base = 0;
+ uint32_t stripe_base = 0;
uint32_t stripe_size;
uint8_t tnr_enabled;
enum msm_camera_buf_mngr_buf_type buf_type =
@@ -2514,6 +2514,13 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
return -EINVAL;
}
+ if (stripe_base == UINT_MAX || new_frame->num_strips >
+ (UINT_MAX - 1 - stripe_base) / stripe_size) {
+ pr_err("Invalid frame message,num_strips %d is large\n",
+ new_frame->num_strips);
+ return -EINVAL;
+ }
+
if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
new_frame->msg_len) {
pr_err("Invalid frame message,len=%d,expected=%d\n",
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-24 21:52:52 +0000