首頁 探索 說明
登入
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
瀏覽代碼

msm: camera: ife: Correct sanitary check logic

Current sanitary checks for integer overflow exhibit incorrect
behavior if number of RDI/paths paths are filled in as zero.
This change addresses that.

CRs-Fixed: 2513939
Change-Id: Ib4cf369971f2d50be0ec167ff78f46fb0d985b33
Signed-off-by: Venkat Chinta <[email protected]>
Venkat Chinta 6 年之前
父節點
9c771385d3
當前提交
9556262e87
共有 1 個文件被更改,包括 12 次插入9 次删除
分割檢視 顯示文件統計
  1. 12 9
      drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c

+ 12 - 9
drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
查看文件 

@@ -4846,7 +4846,7 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 
 		}
 
 
 		/* Check for integer overflow */
 
-		if (clock_config->num_rdi != 1) {
 
+		if (clock_config->num_rdi > 1) {
 
 			if (sizeof(uint64_t) > ((UINT_MAX -
 
 				sizeof(struct cam_isp_clock_config)) /
 
 				(clock_config->num_rdi - 1))) {
 
@@ -4858,8 +4858,9 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 
 			}
 
 		}
 
 
-		if (blob_size < (sizeof(struct cam_isp_clock_config) +
 
-			sizeof(uint64_t) * (clock_config->num_rdi - 1))) {
 
+		if ((clock_config->num_rdi != 0) && (blob_size <
 
+			(sizeof(struct cam_isp_clock_config) +
 
+			sizeof(uint64_t) * (clock_config->num_rdi - 1)))) {
 
 			CAM_ERR(CAM_ISP, "Invalid blob size %u expected %lu",
 
 				blob_size,
 
 				sizeof(uint32_t) * 2 + sizeof(uint64_t) *
 
@@ -4893,7 +4894,7 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 
 		}
 
 
 		/* Check for integer overflow */
 
-		if (bw_config->num_rdi != 1) {
 
+		if (bw_config->num_rdi > 1) {
 
 			if (sizeof(struct cam_isp_bw_vote) > ((UINT_MAX -
 
 				sizeof(struct cam_isp_bw_config)) /
 
 				(bw_config->num_rdi - 1))) {
 
@@ -4905,9 +4906,10 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 
 			}
 
 		}
 
 
-		if (blob_size < (sizeof(struct cam_isp_bw_config) +
 
+		if ((bw_config->num_rdi != 0) && (blob_size <
 
+			(sizeof(struct cam_isp_bw_config) +
 
 			(bw_config->num_rdi - 1) *
 
-			sizeof(struct cam_isp_bw_vote))) {
 
+			sizeof(struct cam_isp_bw_vote)))) {
 
 			CAM_ERR(CAM_ISP, "Invalid blob size %u expected %lu",
 
 				blob_size, sizeof(struct cam_isp_bw_config) +
 
 				(bw_config->num_rdi - 1) *
 
@@ -4949,7 +4951,7 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 
 		}
 
 
 		/* Check for integer overflow */
 
-		if (bw_config->num_paths != 1) {
 
+		if (bw_config->num_paths > 1) {
 
 			if (sizeof(struct cam_axi_per_path_bw_vote) >
 
 				((UINT_MAX -
 
 				sizeof(struct cam_isp_bw_config_v2)) /
 
@@ -4963,8 +4965,9 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 
 			}
 
 		}
 
 
-		if (blob_size < (sizeof(struct cam_isp_bw_config_v2) +
 
-			((bw_config->num_paths - 1) *
 
+		if ((bw_config->num_paths != 0) && (blob_size <
 
+			(sizeof(struct cam_isp_bw_config_v2) +
 
+			(bw_config->num_paths - 1) *
 
 			sizeof(struct cam_axi_per_path_bw_vote)))) {
 
 			CAM_ERR(CAM_ISP,
 
 				"Invalid blob size: %u, num_paths: %u, bw_config size: %lu, per_path_vote size: %lu",