msm: camera: Modify size field in icp handles
Modify the size parameter being sent as part of the
abort and destroy handle in icp hardware manager. An
extra 4 bytes more than the accesible data to read is
being sent in the size field leading to an overread.
Change-Id: I05bcbeb7899506db615a6fb481a3967614a03cb3
Signed-off-by: Karthik Anantha Ram <kartanan@codeaurora.org>
diff --git a/drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c b/drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c
index 8824e44..a0ad151 100644
--- a/drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c
+++ b/drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c
@@ -568,9 +568,7 @@
return -ENOMEM;
abort_cmd.size =
- sizeof(struct hfi_cmd_ipebps_async) +
- sizeof(struct hfi_cmd_abort_destroy) -
- sizeof(abort_cmd.payload.direct);
+ sizeof(struct hfi_cmd_ipebps_async);
abort_cmd.pkt_type = HFI_CMD_IPEBPS_ASYNC_COMMAND_DIRECT;
if (ctx_data->icp_dev_acquire_info->dev_type == CAM_ICP_RES_TYPE_BPS)
abort_cmd.opcode = HFI_IPEBPS_CMD_OPCODE_BPS_ABORT;
@@ -622,9 +620,7 @@
return -ENOMEM;
destroy_cmd.size =
- sizeof(struct hfi_cmd_ipebps_async) +
- sizeof(struct ipe_bps_destroy) -
- sizeof(destroy_cmd.payload.direct);
+ sizeof(struct hfi_cmd_ipebps_async);
destroy_cmd.pkt_type = HFI_CMD_IPEBPS_ASYNC_COMMAND_DIRECT;
if (ctx_data->icp_dev_acquire_info->dev_type == CAM_ICP_RES_TYPE_BPS)
destroy_cmd.opcode = HFI_IPEBPS_CMD_OPCODE_BPS_DESTROY;