msm: camera: ife: Correct sanitary check logic

Current sanitary checks for integer overflow exhibit incorrect behavior if number of RDI/paths paths are filled in as zero. This change addresses that. CRs-Fixed: 2513939 Change-Id: Ib4cf369971f2d50be0ec167ff78f46fb0d985b33 Signed-off-by: Venkat Chinta <vchinta@codeaurora.org>
2019-08-05 19:18:44 -07:00
parent 9c771385d3
commit 9556262e87
1 changed files with 12 additions and 9 deletions
--- a/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
+++ b/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
@@ -4846,7 +4846,7 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 		}
 		/* Check for integer overflow */
-		if (clock_config->num_rdi != 1) {
+		if (clock_config->num_rdi > 1) {
 			if (sizeof(uint64_t) > ((UINT_MAX -
 				sizeof(struct cam_isp_clock_config)) /
 				(clock_config->num_rdi - 1))) {
@@ -4858,8 +4858,9 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 			}
 		}
-		if (blob_size < (sizeof(struct cam_isp_clock_config) +
+		if ((clock_config->num_rdi != 0) && (blob_size <
-			sizeof(uint64_t) * (clock_config->num_rdi - 1))) {
+			(sizeof(struct cam_isp_clock_config) +
 			sizeof(uint64_t) * (clock_config->num_rdi - 1)))) {
 			CAM_ERR(CAM_ISP, "Invalid blob size %u expected %lu",
 				blob_size,
 				sizeof(uint32_t) * 2 + sizeof(uint64_t) *
@@ -4893,7 +4894,7 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 		}
 		/* Check for integer overflow */
-		if (bw_config->num_rdi != 1) {
+		if (bw_config->num_rdi > 1) {
 			if (sizeof(struct cam_isp_bw_vote) > ((UINT_MAX -
 				sizeof(struct cam_isp_bw_config)) /
 				(bw_config->num_rdi - 1))) {
@@ -4905,9 +4906,10 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 			}
 		}
-		if (blob_size < (sizeof(struct cam_isp_bw_config) +
+		if ((bw_config->num_rdi != 0) && (blob_size <
 			(sizeof(struct cam_isp_bw_config) +
 			(bw_config->num_rdi - 1) *
-			sizeof(struct cam_isp_bw_vote))) {
+			sizeof(struct cam_isp_bw_vote)))) {
 			CAM_ERR(CAM_ISP, "Invalid blob size %u expected %lu",
 				blob_size, sizeof(struct cam_isp_bw_config) +
 				(bw_config->num_rdi - 1) *
@@ -4949,7 +4951,7 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 		}
 		/* Check for integer overflow */
-		if (bw_config->num_paths != 1) {
+		if (bw_config->num_paths > 1) {
 			if (sizeof(struct cam_axi_per_path_bw_vote) >
 				((UINT_MAX -
 				sizeof(struct cam_isp_bw_config_v2)) /
@@ -4963,8 +4965,9 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
 			}
 		}
-		if (blob_size < (sizeof(struct cam_isp_bw_config_v2) +
+		if ((bw_config->num_paths != 0) && (blob_size <
-			((bw_config->num_paths - 1) *
+			(sizeof(struct cam_isp_bw_config_v2) +
 			(bw_config->num_paths - 1) *
 			sizeof(struct cam_axi_per_path_bw_vote)))) {
 			CAM_ERR(CAM_ISP,
 				"Invalid blob size: %u, num_paths: %u, bw_config size: %lu, per_path_vote size: %lu",