Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge "video: driver: fix array out of bounds exception"

qctecmdr 2 years ago
parent
68df0645ec a8dce0e07e
commit
fd07f2cafd
2 changed files with 48 additions and 0 deletions
Split View Show Diff Stats
  1. 24 0
      driver/vidc/src/msm_vdec.c
  2. 24 0
      driver/vidc/src/msm_venc.c

+ 24 - 0
driver/vidc/src/msm_vdec.c
View File 

@@ -1012,6 +1012,12 @@ static int msm_vdec_subscribe_metadata(struct msm_vidc_inst *inst,
 
 			if (is_meta_rx_inp_enabled(inst, i) &&
 
 				msm_vidc_allow_metadata_subscription(
 
 					inst, i, port)) {
 
+				if (count + 1 >= sizeof(payload) / sizeof(u32)) {
 
+					i_vpr_e(inst,
 
+						"%s: input metadatas (%d) exceeded limit (%d)\n",
 
+						__func__, count, sizeof(payload) / sizeof(u32));
 
+					return -EINVAL;
 
+				}
 
 				payload[count + 1] = capability->cap[i].hfi_id;
 
 				count++;
 
 			}
 
@@ -1021,6 +1027,12 @@ static int msm_vdec_subscribe_metadata(struct msm_vidc_inst *inst,
 
 			if (is_meta_rx_out_enabled(inst, i) &&
 
 				msm_vidc_allow_metadata_subscription(
 
 					inst, i, port)) {
 
+				if (count + 1 >= sizeof(payload) / sizeof(u32)) {
 
+					i_vpr_e(inst,
 
+						"%s: input metadatas (%d) exceeded limit (%d)\n",
 
+						__func__, count, sizeof(payload) / sizeof(u32));
 
+					return -EINVAL;
 
+				}
 
 				payload[count + 1] = capability->cap[i].hfi_id;
 
 				count++;
 
 			}
 
@@ -1062,6 +1074,12 @@ static int msm_vdec_set_delivery_mode_metadata(struct msm_vidc_inst *inst,
 
 	if (port == INPUT_PORT) {
 
 		for (i = INST_CAP_NONE + 1; i < INST_CAP_MAX; i++) {
 
 			if (is_meta_tx_inp_enabled(inst, i)) {
 
+				if (count + 1 >= sizeof(payload) / sizeof(u32)) {
 
+					i_vpr_e(inst,
 
+						"%s: input metadatas (%d) exceeded limit (%d)\n",
 
+						__func__, count, sizeof(payload) / sizeof(u32));
 
+					return -EINVAL;
 
+				}
 
 				payload[count + 1] = capability->cap[i].hfi_id;
 
 				count++;
 
 			}
 
@@ -1071,6 +1089,12 @@ static int msm_vdec_set_delivery_mode_metadata(struct msm_vidc_inst *inst,
 
 			if (is_meta_tx_out_enabled(inst, i)  &&
 
 				msm_vidc_allow_metadata_delivery(
 
 					inst, i, port)) {
 
+				if (count + 1 >= sizeof(payload) / sizeof(u32)) {
 
+					i_vpr_e(inst,
 
+						"%s: input metadatas (%d) exceeded limit (%d)\n",
 
+						__func__, count, sizeof(payload) / sizeof(u32));
 
+					return -EINVAL;
 
+				}
 
 				payload[count + 1] = capability->cap[i].hfi_id;
 
 				count++;
 
 			}

+ 24 - 0
driver/vidc/src/msm_venc.c
View File 

@@ -709,6 +709,12 @@ static int msm_venc_metadata_delivery(struct msm_vidc_inst *inst,
 
 	if (port == INPUT_PORT) {
 
 		for (i = INST_CAP_NONE + 1; i < INST_CAP_MAX; i++) {
 
 			if (is_meta_tx_inp_enabled(inst, i)) {
 
+				if (count + 1 >= sizeof(payload) / sizeof(u32)) {
 
+					i_vpr_e(inst,
 
+						"%s: input metadatas (%d) exceeded limit (%d)\n",
 
+						__func__, count, sizeof(payload) / sizeof(u32));
 
+					return -EINVAL;
 
+				}
 
 				payload[count + 1] = capability->cap[i].hfi_id;
 
 				count++;
 
 			}
 
@@ -716,6 +722,12 @@ static int msm_venc_metadata_delivery(struct msm_vidc_inst *inst,
 
 	} else if (port == OUTPUT_PORT) {
 
 		for (i = INST_CAP_NONE + 1; i < INST_CAP_MAX; i++) {
 
 			if (is_meta_tx_out_enabled(inst, i)) {
 
+				if (count + 1 >= sizeof(payload) / sizeof(u32)) {
 
+					i_vpr_e(inst,
 
+						"%s: input metadatas (%d) exceeded limit (%d)\n",
 
+						__func__, count, sizeof(payload) / sizeof(u32));
 
+					return -EINVAL;
 
+				}
 
 				payload[count + 1] = capability->cap[i].hfi_id;
 
 				count++;
 
 			}
 
@@ -757,6 +769,12 @@ static int msm_venc_metadata_subscription(struct msm_vidc_inst *inst,
 
 	if (port == INPUT_PORT) {
 
 		for (i = INST_CAP_NONE + 1; i < INST_CAP_MAX; i++) {
 
 			if (is_meta_rx_inp_enabled(inst, i)) {
 
+				if (count + 1 >= sizeof(payload) / sizeof(u32)) {
 
+					i_vpr_e(inst,
 
+						"%s: input metadatas (%d) exceeded limit (%d)\n",
 
+						__func__, count, sizeof(payload) / sizeof(u32));
 
+					return -EINVAL;
 
+				}
 
 				payload[count + 1] = capability->cap[i].hfi_id;
 
 				count++;
 
 			}
 
@@ -764,6 +782,12 @@ static int msm_venc_metadata_subscription(struct msm_vidc_inst *inst,
 
 	} else if (port == OUTPUT_PORT) {
 
 		for (i = INST_CAP_NONE + 1; i < INST_CAP_MAX; i++) {
 
 			if (is_meta_rx_out_enabled(inst, i)) {
 
+				if (count + 1 >= sizeof(payload) / sizeof(u32)) {
 
+					i_vpr_e(inst,
 
+						"%s: input metadatas (%d) exceeded limit (%d)\n",
 
+						__func__, count, sizeof(payload) / sizeof(u32));
 
+					return -EINVAL;
 
+				}
 
 				payload[count + 1] = capability->cap[i].hfi_id;
 
 				count++;
 
 			}