msm: camera: ope: check cpu buffer offset and cmd buf idx

No check for cpu buffer offset, which may lead to out of cpu buffer
map. No check for cmd buffer index, which may lead to out of bound
or negative index. Adding check for cpu buffer map offset and
adding check for cmd buffer index.

CRs-Fixed: 3864084
Change-Id: I39494b0a9f323cb5569d37a0c033b2eaf8fbd32c
Signed-off-by: jinguiw <[email protected]>

drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c

@@ -2212,6 +2212,14 @@ static int cam_ope_mgr_process_cmd_buf_req(struct cam_ope_hw_mgr *hw_mgr,
 						hw_mgr->iommu_hdl);
 					goto end;
 				}
+				if ((len <= frame_process->cmd_buf[i][j].offset) ||
+					(frame_process->cmd_buf[i][j].size <
+					frame_process->cmd_buf[i][j].length) ||
+					((len - frame_process->cmd_buf[i][j].offset) <
+					 frame_process->cmd_buf[i][j].length)) {
+					CAM_ERR(CAM_OPE, "Invalid offset.");
+					return -EINVAL;
+				}
 				cpu_addr = cpu_addr +
 					frame_process->cmd_buf[i][j].offset;
 				CAM_DBG(CAM_OPE, "Hdl %x size %d len %d off %d",
@@ -2260,6 +2268,10 @@ static int cam_ope_mgr_process_cmd_buf_req(struct cam_ope_hw_mgr *hw_mgr,
 				uint32_t s_idx = 0;
 
 				s_idx = cmd_buf->stripe_idx;
+				if (s_idx < 0 || s_idx >= OPE_MAX_STRIPES) {
+					CAM_ERR(CAM_OPE, "Invalid index.");
+					return -EINVAL;
+				}
 				num_cmd_bufs =
 				ope_request->num_stripe_cmd_bufs[i][s_idx];