From f96b4098f3f76d29bae01b6c4154e92c1bfa5260 Mon Sep 17 00:00:00 2001 From: Suman Mukherjee <sumam@codeaurora.org> Date: Wed, 13 Apr 2016 16:36:00 -0700 Subject: [PATCH] msm: camera: ispif: Validate VFE num input during reset Userspace supplies the actual number of used VFEs in session to ISPIF. Validate the userspace input value and if found to be invalid, return error. BUG=27600832 Change-Id: I91944434e9a83d34af765c40bf8ad297a09ce2f5 --- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c index ec7670263b38..00525509bebe 100644 --- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c +++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c @@ -778,6 +778,13 @@ static irqreturn_t msm_io_ispif_irq(int irq_num, void *data) static int msm_ispif_set_vfe_info(struct ispif_device *ispif, struct msm_ispif_vfe_info *vfe_info) { + if (!vfe_info || (vfe_info->num_vfe <= 0) || + ((uint32_t)(vfe_info->num_vfe) > VFE_MAX)) { + pr_err("Invalid VFE info: %p %d\n", vfe_info, + (vfe_info ? vfe_info->num_vfe:0)); + return -EINVAL; + } + memcpy(&ispif->vfe_info, vfe_info, sizeof(struct msm_ispif_vfe_info)); return 0; -- GitLab