From f2402f4de5030e085ffc765505b997923ffdea2e Mon Sep 17 00:00:00 2001
From: Satyanarayana Dash <sadash@codeaurora.org>
Date: Tue, 23 Jan 2018 18:24:27 +0530
Subject: [PATCH] msm: camera: isp: Handle array out of bounds

The pointer qbuf_buf comes from userspace.
qbuf_buf->num_planes is used with no bound check,
which if set to a large value, it will overflow
buf_info->mapped_info and qbuf_buf->planes

Bug: 38196031

CRs-Fixed: 2003798
Change-Id: I332e0424e57bb14b481a740604a09350e6f029a8
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>
---
 .../media/platform/msm/camera_v2/isp/msm_buf_mgr.c   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
index 4199517e7624..f72d612ddf15 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
@@ -241,6 +241,12 @@ static void msm_isp_unprepare_v4l2_buf(
 	else
 		iommu_hdl = buf_mgr->sec_iommu_hdl;
 
+	if (buf_info->num_planes > VIDEO_MAX_PLANES) {
+		pr_err("%s: Invalid num_planes %d \n",
+			__func__, buf_info->num_planes);
+		return;
+	}
+
 	for (i = 0; i < buf_info->num_planes; i++) {
 		mapped_info = &buf_info->mapped_info[i];
 		if (mapped_info != NULL)
@@ -327,6 +333,12 @@ static int msm_isp_buf_prepare(struct msm_isp_buf_mgr *buf_mgr,
 		return rc;
 	}
 
+	if (buf_info->num_planes > VIDEO_MAX_PLANES) {
+		pr_err("%s: Invalid num_planes %d \n",
+			__func__, buf_info->num_planes);
+		return rc;
+	}
+
 	bufq = msm_isp_get_bufq(buf_mgr, buf_info->bufq_handle);
 	if (!bufq) {
 		pr_err("%s: Invalid bufq\n",
-- 
GitLab