From ccc0cefed718708acf4be23c165f7e80edd1ba0d Mon Sep 17 00:00:00 2001
From: Praveen Chavan <pchavan@codeaurora.org>
Date: Wed, 20 Jan 2016 23:17:19 -0800
Subject: [PATCH] msm: vidc: Do sanity check for different IOCTL cmd

Wrong buffer length or buffer type sent by V4L2 client
is not handled properly in V4L2 framework, which results
in page fault situation in different IOCTL functions
like prepare buf. Do a sanity check for the same.

Author: Pushkaraj Patil <ppatil@codeaurora.org>

Bug: 26425736

Change-Id: I795076e8f7fc6d511eb728f44cd50015e704ffa1
Signed-off-by: Pushkaraj Patil <ppatil@codeaurora.org>
Signed-off-by: Praveen Chavan <pchavan@codeaurora.org>
---
 drivers/media/platform/msm/vidc/msm_vidc.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/drivers/media/platform/msm/vidc/msm_vidc.c b/drivers/media/platform/msm/vidc/msm_vidc.c
index 6c7205ad909e..77b29cc18c91 100644
--- a/drivers/media/platform/msm/vidc/msm_vidc.c
+++ b/drivers/media/platform/msm/vidc/msm_vidc.c
@@ -701,6 +701,13 @@ int msm_vidc_prepare_buf(void *instance, struct v4l2_buffer *b)
 	if (!inst || !b)
 		return -EINVAL;
 
+	if (!V4L2_TYPE_IS_MULTIPLANAR(b->type) || !b->length ||
+		(b->length > VIDEO_MAX_PLANES)) {
+		dprintk(VIDC_ERR, "%s: wrong input params\n",
+				__func__);
+		return -EINVAL;
+	}
+
 	if (is_dynamic_output_buffer_mode(b, inst)) {
 		dprintk(VIDC_ERR, "%s: not supported in dynamic buffer mode\n",
 				__func__);
@@ -843,9 +850,10 @@ int msm_vidc_qbuf(void *instance, struct v4l2_buffer *b)
 	if (!inst || !b)
 		return -EINVAL;
 
-	if (b->length > VIDEO_MAX_PLANES) {
-		dprintk(VIDC_ERR, "num planes exceeds max: %d\n",
-			b->length);
+	if (!V4L2_TYPE_IS_MULTIPLANAR(b->type) || !b->length ||
+		(b->length > VIDEO_MAX_PLANES)) {
+		dprintk(VIDC_ERR, "%s: wrong input params\n",
+				__func__);
 		return -EINVAL;
 	}
 
@@ -916,9 +924,10 @@ int msm_vidc_dqbuf(void *instance, struct v4l2_buffer *b)
 	if (!inst || !b)
 		return -EINVAL;
 
-	if (b->length > VIDEO_MAX_PLANES) {
-		dprintk(VIDC_ERR, "num planes exceed maximum: %d\n",
-			b->length);
+	if (!V4L2_TYPE_IS_MULTIPLANAR(b->type) || !b->length ||
+		(b->length > VIDEO_MAX_PLANES)) {
+		dprintk(VIDC_ERR, "%s: wrong input params\n",
+				__func__);
 		return -EINVAL;
 	}
 
-- 
GitLab