diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c index 94ddcae09b26d546dfe62a6048facf33cac423c3..b1b7fabbfdf2a5703acf9f7e4d01312de28200db 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c @@ -500,28 +500,42 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev, cmd_len); return -EINVAL; } + + /* Validate input parameters */ switch (reg_cfg_cmd->cmd_type) { - case VFE_WRITE: { - if (reg_cfg_cmd->u.rw_info.reg_offset < - resource_size(vfe_dev->vfe_mem)) { - uint32_t diff = 0; - diff = resource_size(vfe_dev->vfe_mem) - - reg_cfg_cmd->u.rw_info.reg_offset; - if (diff < reg_cfg_cmd->u.rw_info.len) { - pr_err("%s: VFE_WRITE: Invalid length\n", - __func__); - return -EINVAL; - } - } else { - pr_err("%s: VFE_WRITE: Invalid length\n", __func__); + case VFE_WRITE: + case VFE_READ: { + if ((reg_cfg_cmd->u.rw_info.reg_offset > + (UINT_MAX - reg_cfg_cmd->u.rw_info.len)) || + ((reg_cfg_cmd->u.rw_info.reg_offset + + reg_cfg_cmd->u.rw_info.len) > + resource_size(vfe_dev->vfe_mem))) { + pr_err("%s:%d reg_offset %d len %d res %d\n", + __func__, __LINE__, + reg_cfg_cmd->u.rw_info.reg_offset, + reg_cfg_cmd->u.rw_info.len, + (uint32_t)resource_size(vfe_dev->vfe_mem)); return -EINVAL; } - if (resource_size(vfe_dev->vfe_mem) < - (reg_cfg_cmd->u.rw_info.reg_offset + - reg_cfg_cmd->u.rw_info.len)) { - pr_err("%s: VFE_WRITE: Invalid length\n", __func__); + + if ((reg_cfg_cmd->u.rw_info.cmd_data_offset > + (UINT_MAX - reg_cfg_cmd->u.rw_info.len)) || + ((reg_cfg_cmd->u.rw_info.cmd_data_offset + + reg_cfg_cmd->u.rw_info.len) > cmd_len)) { + pr_err("%s:%d cmd_data_offset %d len %d cmd_len %d\n", + __func__, __LINE__, + reg_cfg_cmd->u.rw_info.cmd_data_offset, + reg_cfg_cmd->u.rw_info.len, cmd_len); return -EINVAL; } + break; + } + default: + break; + } + + switch (reg_cfg_cmd->cmd_type) { + case VFE_WRITE: { msm_camera_io_memcpy(vfe_dev->vfe_base + reg_cfg_cmd->u.rw_info.reg_offset, cfg_data + reg_cfg_cmd->u.rw_info.cmd_data_offset/4,