msm: camera: isp: fix for out of bound access array

There is no bound check in stream_cfg_cmd->num_streams and it's used in several places as a maximum index into the stream_cfg_cmd->stream_handle array which has a size of 15. Current code didn't check the maximum index to make sure it didn't exceed the array size. Bug: 62379525 Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0 Signed-off-by: Maggie White <[email protected]> CVE-2017-8251 Signed-off-by: Kevin F. Haggerty <[email protected]> Signed-off-by: Francisco Franco <[email protected]>
franciscofranco · Sep 16, 2017 · 0337ca1 · 0337ca1
1 parent fe1a2ee
commit 0337ca1
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
@@ -384,6 +384,13 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev,
 	uint32_t stats_mask = 0, comp_stats_mask = 0, idx;
 	struct msm_vfe_stats_stream *stream_info;
 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
+
+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
+		pr_err("%s invalid num_streams %d\n", __func__,
+			stream_cfg_cmd->num_streams);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
 
@@ -434,6 +441,13 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev,
 	uint32_t stats_mask = 0, comp_stats_mask = 0, idx;
 	struct msm_vfe_stats_stream *stream_info;
 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
+
+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
+		pr_err("%s invalid num_streams %d\n", __func__,
+			stream_cfg_cmd->num_streams);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);