Merge "msm: vidc: Preventing dereference pointers and array out of bounds" into msm-3.0
diff --git a/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_interrupt_handler.c b/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_interrupt_handler.c
index c2ab8ad..cc35ea3 100644
--- a/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_interrupt_handler.c
+++ b/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_interrupt_handler.c
@@ -877,25 +877,31 @@
vidc_1080p_clear_returned_channel_inst_id();
ddl = ddl_get_current_ddl_client_for_channel_id(ddl_context,
ddl_context->response_cmd_ch_id);
- if (!ddl || (!DDLCLIENT_STATE_IS(ddl, DDL_CLIENT_WAIT_FOR_EOS_DONE))) {
- DDL_MSG_ERROR("STATE-CRITICAL-EOSFRMDONE");
- ddl_client_fatal_cb(ddl);
+ if (ddl == NULL) {
+ DDL_MSG_ERROR("NO_DDL_CONTEXT");
} else {
- struct ddl_encoder_data *encoder = &(ddl->codec_data.encoder);
- vidc_1080p_get_encode_frame_info(&encoder->enc_frame_info);
- ddl_handle_enc_frame_done(ddl);
- DDL_MSG_LOW("encoder_eos_done");
- ddl->cmd_state = DDL_CMD_INVALID;
- DDL_MSG_LOW("ddl_state_transition: %s ~~>"
+ if (!DDLCLIENT_STATE_IS(ddl, DDL_CLIENT_WAIT_FOR_EOS_DONE)) {
+ DDL_MSG_ERROR("STATE-CRITICAL-EOSFRMDONE");
+ ddl_client_fatal_cb(ddl);
+ } else {
+ struct ddl_encoder_data *encoder =
+ &(ddl->codec_data.encoder);
+ vidc_1080p_get_encode_frame_info(
+ &encoder->enc_frame_info);
+ ddl_handle_enc_frame_done(ddl);
+ DDL_MSG_LOW("encoder_eos_done");
+ ddl->cmd_state = DDL_CMD_INVALID;
+ DDL_MSG_LOW("ddl_state_transition: %s ~~>"
"DDL_CLIENT_WAIT_FOR_FRAME",
ddl_get_state_string(ddl->client_state));
- ddl->client_state = DDL_CLIENT_WAIT_FOR_FRAME;
- DDL_MSG_LOW("eos_done");
- ddl_context->ddl_callback(VCD_EVT_RESP_EOS_DONE,
- VCD_S_SUCCESS, NULL, 0,
- (u32 *)ddl, ddl->client_data);
- ddl_release_command_channel(ddl_context,
- ddl->command_channel);
+ ddl->client_state = DDL_CLIENT_WAIT_FOR_FRAME;
+ DDL_MSG_LOW("eos_done");
+ ddl_context->ddl_callback(VCD_EVT_RESP_EOS_DONE,
+ VCD_S_SUCCESS, NULL, 0,
+ (u32 *)ddl, ddl->client_data);
+ ddl_release_command_channel(ddl_context,
+ ddl->command_channel);
+ }
}
}
diff --git a/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_properties.c b/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_properties.c
index bb26c51..0405513 100644
--- a/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_properties.c
+++ b/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_properties.c
@@ -834,38 +834,55 @@
break;
case VCD_I_RECON_BUFFERS:
{
- int index;
+ int index, index_hw_bufs = -1;
struct vcd_property_enc_recon_buffer *recon_buffers =
(struct vcd_property_enc_recon_buffer *)property_value;
for (index = 0; index < 4; index++) {
- if (!encoder->hw_bufs.dpb_y[index].align_physical_addr)
+ if (!encoder->hw_bufs.dpb_y[index].
+ align_physical_addr) {
+ index_hw_bufs = index;
break;
- else
+ } else
continue;
- }
- if (property_hdr->sz == sizeof(struct
- vcd_property_enc_recon_buffer)) {
- encoder->hw_bufs.dpb_y[index].align_physical_addr =
- recon_buffers->physical_addr;
- encoder->hw_bufs.dpb_y[index].align_virtual_addr =
- recon_buffers->kernel_virtual_addr;
- encoder->hw_bufs.dpb_y[index].buffer_size =
- recon_buffers->buffer_size;
- encoder->hw_bufs.dpb_c[index].align_physical_addr =
- recon_buffers->physical_addr + ddl_get_yuv_buf_size(
- encoder->frame_size.width, encoder->frame_size.
- height, DDL_YUV_BUF_TYPE_TILE);
- encoder->hw_bufs.dpb_c[index].align_virtual_addr =
- recon_buffers->kernel_virtual_addr +
- recon_buffers->ysize;
- DDL_MSG_LOW("Y::KVirt: %p,KPhys: %p"
- "UV::KVirt: %p,KPhys: %p\n",
- encoder->hw_bufs.dpb_y[index].align_virtual_addr,
- encoder->hw_bufs.dpb_y[index].align_physical_addr,
- encoder->hw_bufs.dpb_c[index].align_virtual_addr,
- encoder->hw_bufs.dpb_c[index].align_physical_addr);
- vcd_status = VCD_S_SUCCESS;
- }
+ }
+ if (index_hw_bufs == -1) {
+ DDL_MSG_HIGH("ERROR: value of index_hw_bufs");
+ vcd_status = VCD_ERR_ILLEGAL_PARM;
+ } else {
+ if (property_hdr->sz == sizeof(struct
+ vcd_property_enc_recon_buffer)) {
+ encoder->hw_bufs.dpb_y[index_hw_bufs].
+ align_physical_addr =
+ recon_buffers->physical_addr;
+ encoder->hw_bufs.dpb_y[index_hw_bufs].
+ align_virtual_addr =
+ recon_buffers->kernel_virtual_addr;
+ encoder->hw_bufs.dpb_y[index_hw_bufs].
+ buffer_size = recon_buffers->buffer_size;
+ encoder->hw_bufs.dpb_c[index_hw_bufs].
+ align_physical_addr =
+ recon_buffers->physical_addr +
+ ddl_get_yuv_buf_size(
+ encoder->frame_size.width,
+ encoder->frame_size.height,
+ DDL_YUV_BUF_TYPE_TILE);
+ encoder->hw_bufs.dpb_c[index_hw_bufs].
+ align_virtual_addr =
+ recon_buffers->kernel_virtual_addr +
+ recon_buffers->ysize;
+ DDL_MSG_LOW("Y::KVirt: %p,KPhys: %p"
+ "UV::KVirt: %p,KPhys: %p\n",
+ encoder->hw_bufs.dpb_y[index_hw_bufs].
+ align_virtual_addr,
+ encoder->hw_bufs.dpb_y[index_hw_bufs].
+ align_physical_addr,
+ encoder->hw_bufs.dpb_c[index_hw_bufs].
+ align_virtual_addr,
+ encoder->hw_bufs.dpb_c[index_hw_bufs].
+ align_physical_addr);
+ vcd_status = VCD_S_SUCCESS;
+ }
+ }
}
break;
case VCD_I_FREE_RECON_BUFFERS:
diff --git a/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_shared_mem.c b/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_shared_mem.c
index 8160895..ac05364 100644
--- a/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_shared_mem.c
+++ b/drivers/video/msm/vidc/1080p/ddl/vcd_ddl_shared_mem.c
@@ -690,7 +690,7 @@
enum vidc_sm_mpeg4_profileinfo profile_info)
{
u32 profile_enforce = 0;
- if (shared_mem) {
+ if (shared_mem != NULL) {
profile_enforce = 1;
switch (profile_info) {
case VIDC_SM_PROFILE_INFO_ASP:
@@ -704,8 +704,8 @@
profile_enforce = 0;
break;
}
+ DDL_MEM_WRITE_32(shared_mem, 0x15c, profile_enforce);
}
- DDL_MEM_WRITE_32(shared_mem, 0x15c, profile_enforce);
}
void vidc_sm_set_decoder_sei_enable(struct ddl_buf_addr *shared_mem,
u32 sei_enable)