video: driver: Handle mem corruption while parsing dpb list prop

While parsing dpb_list_property packet, memcpy happens from hfi_packet to inst->dpb_list_payload which is being allocated with max size of 256 Bytes. If dpb_list_prop packet size is greater than 256Bytes, then driver will change the state to ERROR state but still memcpy will happen shich will read and write memory greater than allocated hence corrupting the memory. Added fix by returning error. Change-Id: I81617c88c68194fbd442059c63fa702d1e839478 Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
2022-10-06 17:23:14 +05:30
--- a/driver/vidc/src/venus_hfi_response.c
+++ b/driver/vidc/src/venus_hfi_response.c
@@ -1587,6 +1587,7 @@ static int handle_dpb_list_property(struct msm_vidc_inst *inst,
 			"%s: dpb list payload size %d exceeds expected max size %d\n",
 			__func__, payload_size, MAX_DPB_LIST_PAYLOAD_SIZE);
 		msm_vidc_change_state(inst, MSM_VIDC_ERROR, __func__);
+		return -EINVAL;
 	}
 	memcpy(inst->dpb_list_payload, payload_start, payload_size);