From 27e5b60af8b7b1fd289b1438a69866a125dacbdc Mon Sep 17 00:00:00 2001
From: Suman Mukherjee <sumam@codeaurora.org>
Date: Wed, 13 Apr 2016 16:36:00 -0700
Subject: [PATCH] msm: camera: ispif: Validate VFE num input during reset

Userspace supplies the actual number of used VFEs in session to ISPIF.
Validate the userspace input value and if found to be invalid, return
error.

BUG=27600832

Change-Id: I91944434e9a83d34af765c40bf8ad297a09ce2f5
---
 drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
index 303f26553ae0..da42a3fab2a1 100644
--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
@@ -881,6 +881,13 @@ static irqreturn_t msm_io_ispif_irq(int irq_num, void *data)
 static int msm_ispif_set_vfe_info(struct ispif_device *ispif,
 	struct msm_ispif_vfe_info *vfe_info)
 {
+        if (!vfe_info || (vfe_info->num_vfe <= 0) ||
+	    ((uint32_t)(vfe_info->num_vfe) > VFE_MAX)) {
+		pr_err("Invalid VFE info: %p %d\n", vfe_info,
+			   (vfe_info ? vfe_info->num_vfe:0));
+ 		return -EINVAL;
+	}
+
 	memcpy(&ispif->vfe_info, vfe_info, sizeof(struct msm_ispif_vfe_info));
 
 	return 0;
-- 
GitLab