From 89e0fbac4c2b6c93c799720e71b4b3bed99ddd3e Mon Sep 17 00:00:00 2001
From: Suman Mukherjee <sumam@codeaurora.org>
Date: Tue, 9 Dec 2014 13:25:36 +0530
Subject: [PATCH] msm: camera: add check for csid_cid to prevent of overwrite
 memory

add sanity check for csid cid to ensute that we never read or write
outside csid_dev->mem buffer

Bug: 19134929
Change-Id: Ic8f0d689fa176720ae3a3316f2ad27556ae7bde5
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
Signed-off-by: Patrick Tjin <pattjin@google.com>
---
 .../media/platform/msm/camera_v2/sensor/csid/msm_csid.c    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
index 78136d32da84..04068c2f62c9 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
@@ -48,6 +48,13 @@ static int msm_csid_cid_lut(
 		return -EINVAL;
 	}
 	for (i = 0; i < csid_lut_params->num_cid && i < 16; i++) {
+		if (csid_lut_params->vc_cfg[i]->cid >=
+			csid_lut_params->num_cid ||
+			csid_lut_params->vc_cfg[i]->cid < 0) {
+				pr_err("%s: cid outside range %d\n",
+					__func__, csid_lut_params->vc_cfg[i]->cid);
+				return -EINVAL;
+		}
 		CDBG("%s lut params num_cid = %d, cid = %d, dt = %x, df = %d\n",
 			__func__,
 			csid_lut_params->num_cid,
-- 
GitLab