msm: camera: isp: Handle array out of bounds

The pointer qbuf_buf comes from userspace. qbuf_buf->num_planes is used with no bound check, which if set to a large value, it will overflow buf_info->mapped_info and qbuf_buf->planes CRs-Fixed: 2003798 Bug: 38196031 Git-repo: https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit Git-commit: 333a535f8323821b1d46b408f2305712640d1767 Change-Id: I332e0424e57bb14b481a740604a09350e6f029a8 Signed-off-by: Senthil Kumar Rajagopal <[email protected]> Signed-off-by: Dennis Cagle <[email protected]>
franciscofranco · Jul 19, 2017 · 700c28e · 700c28e
1 parent 63764a2
commit 700c28e
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
@@ -139,6 +139,13 @@ static int msm_isp_prepare_isp_buf(struct msm_isp_buf_mgr *buf_mgr,
 		domain_num = buf_mgr->iommu_domain_num;
 	else
 		domain_num = buf_mgr->iommu_domain_num_secure;
+
+	if (qbuf_buf->num_planes > MAX_PLANES_PER_STREAM) {
+		pr_err("%s: Invalid num_planes %d\n",
+			__func__, qbuf_buf->num_planes);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < qbuf_buf->num_planes; i++) {
 		mapped_info = &buf_info->mapped_info[i];
 		mapped_info->handle =
@@ -196,6 +203,13 @@ static void msm_isp_unprepare_v4l2_buf(
 		domain_num = buf_mgr->iommu_domain_num;
 	else
 		domain_num = buf_mgr->iommu_domain_num_secure;
+
+	if (buf_info->num_planes > VIDEO_MAX_PLANES) {
+		pr_err("%s: Invalid num_planes %d\n",
+			__func__, buf_info->num_planes);
+		return;
+	}
+
 	for (i = 0; i < buf_info->num_planes; i++) {
 		mapped_info = &buf_info->mapped_info[i];
 		ion_unmap_iommu(buf_mgr->client, mapped_info->handle,