From 890c319fc8f0d798f19856227a5fd9d8a95b8919 Mon Sep 17 00:00:00 2001
From: Jigar Agrawal <jigar@codeaurora.org>
Date: Wed, 13 Oct 2021 15:09:54 -0700
Subject: [PATCH] msm: camera: common: Fix kernel code and add checks

Fix Kernel code and add security checks to avoid
possible out of bound array access variables.

CRs-fixed: 3038735
Change-Id: Idaf0889026dbf138d0cb94a0f88e5b6941ff21e2
Signed-off-by: Jigar Agrawal <jigar@codeaurora.org>
---
 drivers/cam_isp/cam_isp_context.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/cam_isp/cam_isp_context.c b/drivers/cam_isp/cam_isp_context.c
index 6ce8667ff3..7fc205c879 100644
--- a/drivers/cam_isp/cam_isp_context.c
+++ b/drivers/cam_isp/cam_isp_context.c
@@ -1331,6 +1331,13 @@ static int __cam_isp_ctx_handle_buf_done_for_request_verify_addr(
 	CAM_DBG(CAM_ISP, "Enter with bubble_state %d, req_bubble_detected %d",
 		bubble_state, req_isp->bubble_detected);
 
+	if (done->num_handles > CAM_NUM_OUT_PER_COMP_IRQ_MAX) {
+		CAM_ERR(CAM_ISP, "ctx: %u req: %llu num_handles: %u is more than %u",
+			ctx->ctx_id, req->request_id,
+			done->num_handles, CAM_NUM_OUT_PER_COMP_IRQ_MAX);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < done->num_handles; i++) {
 		for (j = 0; j < req_isp->num_fence_map_out; j++) {
 			cmp_addr = cam_smmu_is_expanded_memory() ? CAM_36BIT_INTF_GET_IOVA_BASE(