msm: camera: common: Add validation check for cpu buffers before accessing

Add validation check before accessing the packets and configs from
the buffers.

CRs-Fixed: 2360223, 2416463
Change-Id: I9a09bc7064fd7e7914f91576542181c301db926d
Signed-off-by: Abhilash Kumar <krabhi@codeaurora.org>
Signed-off-by: Mukund Madhusudan Atre <matre@codeaurora.org>

drivers/cam_icp/cam_icp_context.c

@@ -129,6 +129,7 @@ static int __cam_icp_config_dev_in_ready(struct cam_context *ctx,
 	size_t len;
 	uintptr_t packet_addr;
 	struct cam_packet *packet;
+	size_t remain_len = 0;
 
 	rc = cam_mem_get_cpu_buf((int32_t) cmd->packet_handle,
 		&packet_addr, &len);
@@ -139,9 +140,26 @@ static int __cam_icp_config_dev_in_ready(struct cam_context *ctx,
 		return rc;
 	}
 
+	remain_len = len;
+	if ((len < sizeof(struct cam_packet)) ||
+		(cmd->offset >= (len - sizeof(struct cam_packet)))) {
+		CAM_ERR(CAM_CTXT,
+			"Invalid offset, len: %zu cmd offset: %llu sizeof packet: %zu",
+			len, cmd->offset, sizeof(struct cam_packet));
+		return -EINVAL;
+	}
+
+	remain_len -= (size_t)cmd->offset;
 	packet = (struct cam_packet *) ((uint8_t *)packet_addr +
 		(uint32_t)cmd->offset);
 
+	rc = cam_packet_util_validate_packet(packet, remain_len);
+	if (rc) {
+		CAM_ERR(CAM_CTXT, "Invalid packet params, remain length: %zu",
+			remain_len);
+		return rc;
+	}
+
 	if (((packet->header.op_code & 0xff) ==
 		CAM_ICP_OPCODE_IPE_SETTINGS) ||
 		((packet->header.op_code & 0xff) ==