msm: camera: Fix memory read by adding bounds check

Adds bound check on reg_cfg_cmd->u.dmi_info.hi_tbl_offset. IOCTL VIDIOC_MSM_VFE_REG_CFG uses usersupplied value without performing bounds check for following cmd_type. VFE_READ_DMI_16BIT VFE_READ_DMI_32BIT VFE_READ_DMI_64BIT Change-Id: I554c45ef3a172f5b5891b67a7e8e7a1f3f3882ed Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
author: Trishansh Bhardwaj <tbhardwa@codeaurora.org> 2016-06-29 14:34:31 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2016-07-15 02:23:44 -0700
commit: fcd868b454483b6f6c6c9a82dc793259c573d504 (patch)
tree: 58402d79b470fb586aa918371512e8a8b90c720c /drivers/media/platform
parent: aa958278d16faccd0cc79650b94ea6aa18d4131d (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
index 5b12c1239bf4..5e24b146619d 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
@@ -1005,7 +1005,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
 	case VFE_READ_DMI_16BIT:
 	case VFE_READ_DMI_32BIT:
 	case VFE_READ_DMI_64BIT: {
-		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
+		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT ||
+			reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
 			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
 				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
 				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
author	Trishansh Bhardwaj <tbhardwa@codeaurora.org>	2016-06-29 14:34:31 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2016-07-15 02:23:44 -0700
commit	fcd868b454483b6f6c6c9a82dc793259c573d504 (patch)
tree	58402d79b470fb586aa918371512e8a8b90c720c /drivers/media/platform
parent	aa958278d16faccd0cc79650b94ea6aa18d4131d (diff)