video: driver: Handle mem corruption while parsing dpb list prop

While parsing dpb_list_property packet, memcpy happens from
hfi_packet to inst->dpb_list_payload which is being allocated
with max size of 256 Bytes. If dpb_list_prop packet size is
greater than 256Bytes, then driver will change the state to
ERROR state but still memcpy will happen shich will read
and write memory greater than allocated hence corrupting
the memory. Added fix by returning error.

Change-Id: I81617c88c68194fbd442059c63fa702d1e839478
Signed-off-by: Vedang Nagar <[email protected]>

driver/vidc/src/venus_hfi_response.c

@@ -1587,6 +1587,7 @@ static int handle_dpb_list_property(struct msm_vidc_inst *inst,
 			"%s: dpb list payload size %d exceeds expected max size %d\n",
 			__func__, payload_size, MAX_DPB_LIST_PAYLOAD_SIZE);
 		msm_vidc_change_state(inst, MSM_VIDC_ERROR, __func__);
+		return -EINVAL;
 	}
 	memcpy(inst->dpb_list_payload, payload_start, payload_size);