Etusivu Tutki Apua
Kirjaudu sisään
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Haarauta 0
Tiedostot Esitykset 0 Vetopyynnöt 0 Wiki
Selaa lähdekoodia

video: driver: Handle mem corruption while parsing dpb list prop

While parsing dpb_list_property packet, memcpy happens from
hfi_packet to inst->dpb_list_payload which is being allocated
with max size of 256 Bytes. If dpb_list_prop packet size is
greater than 256Bytes, then driver will change the state to
ERROR state but still memcpy will happen shich will read
and write memory greater than allocated hence corrupting
the memory. Added fix by returning error.

Change-Id: I81617c88c68194fbd442059c63fa702d1e839478
Signed-off-by: Vedang Nagar <[email protected]>
Vedang Nagar 2 vuotta sitten
vanhempi
6bf23cf65c
sitoutus
efa48a607a
1 muutettua tiedostoa jossa 1 lisäystä ja 0 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 1 0
      driver/vidc/src/venus_hfi_response.c

+ 1 - 0
driver/vidc/src/venus_hfi_response.c
Näytä tiedosto 

@@ -1587,6 +1587,7 @@ static int handle_dpb_list_property(struct msm_vidc_inst *inst,
 
 			"%s: dpb list payload size %d exceeds expected max size %d\n",
 
 			__func__, payload_size, MAX_DPB_LIST_PAYLOAD_SIZE);
 
 		msm_vidc_change_state(inst, MSM_VIDC_ERROR, __func__);
 
+		return -EINVAL;
 
 	}
 
 	memcpy(inst->dpb_list_payload, payload_start, payload_size);