diff options
author | Pratap Nirujogi <pratapn@codeaurora.org> | 2017-02-20 17:29:33 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-03-02 02:02:24 -0800 |
commit | b5ac2b42fdd2fffc9d887f43491715d2f733497f (patch) | |
tree | d6f86674e3cefd2ea05a21900abb072f9b4c3b72 /include/uapi | |
parent | 81eef00c6735412494d82607be1f1aaa2cb3c616 (diff) |
msm: camera: cpp: Fixing Heap overflow in output buffer
Issue:
Missing bound check when writing into the output array
buffer, which can lead to out-of-bound heap write.
Fix:
Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT
macro and size check to the place where the array is
accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT.
Caller will return -EINVAL for '0'.
Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f
CRs-Fixed: 2004036
Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
Diffstat (limited to 'include/uapi')
-rw-r--r-- | include/uapi/media/msmb_pproc.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/include/uapi/media/msmb_pproc.h b/include/uapi/media/msmb_pproc.h index b65669b87a21..8f454571e69d 100644 --- a/include/uapi/media/msmb_pproc.h +++ b/include/uapi/media/msmb_pproc.h @@ -16,6 +16,7 @@ #define MSM_CPP_MAX_FRAME_LENGTH 4096 #define MSM_CPP_MAX_FW_NAME_LEN 32 #define MAX_FREQ_TBL 10 +#define MSM_OUTPUT_BUF_CNT 8 enum msm_cpp_frame_type { MSM_CPP_OFFLINE_FRAME, @@ -76,7 +77,7 @@ struct msm_cpp_frame_info_t { uint32_t feature_mask; uint8_t we_disable; struct msm_cpp_buffer_info_t input_buffer_info; - struct msm_cpp_buffer_info_t output_buffer_info[8]; + struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT]; struct msm_cpp_buffer_info_t duplicate_buffer_info; struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2]; uint32_t reserved; |