Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 8d1f7531ff379befc129a6447642061e87562bca^! / .
commit8d1f7531ff379befc129a6447642061e87562bca[log] [tgz]
authorHariram Purushothaman <hpurus@codeaurora.org>Tue Jul 23 15:39:09 2013 -0700
committerHariram Purushothaman <hpurus@codeaurora.org>Tue Jul 23 16:00:36 2013 -0700
tree4597ef68f4f352d7828d49246842f428ae16151a
parentdd3fd9994290181008038bf0e5bf5fa48efd7b90 [diff]
msm: camera: Check stats index MAX in ISP driver

Add a check for the stats index MAX using
MSM_ISP_STATS_MAX before accessing stream info
using that index to avoid any invalid memory access.

Change-Id: Iaade2af5d0e3e073e9519961a0f84a93038284bf
CRs-Fixed: 514711
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>

diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
index d857a14..33f63b3 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c

@@ -150,6 +150,12 @@
 	stats_idx = vfe_dev->hw_info->vfe_ops.stats_ops.
 		get_stats_idx(stream_req_cmd->stats_type);
 
+	if ((stats_idx > MSM_ISP_STATS_MAX) ||
+		(stats_idx == -EINVAL)) {
+		pr_err("%s: Stats idx Error\n", __func__);
+		return rc;
+	}
+
 	stream_info = &stats_data->stream_info[stats_idx];
 	if (stream_info->state != STATS_AVALIABLE) {
 		pr_err("%s: Stats already requested\n", __func__);
@@ -188,7 +194,7 @@
 
 int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg)
 {
-	int rc = 0;
+	int rc = -1;
 	struct msm_vfe_stats_stream_request_cmd *stream_req_cmd = arg;
 	struct msm_vfe_stats_stream *stream_info = NULL;
 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
@@ -202,6 +208,11 @@
 	}
 
 	stats_idx = STATS_IDX(stream_req_cmd->stream_handle);
+	if (stats_idx > MSM_ISP_STATS_MAX) {
+		pr_err("%s: Stats idx Error\n", __func__);
+		return rc;
+	}
+
 	stream_info = &stats_data->stream_info[stats_idx];
 
 	framedrop_period = msm_isp_get_framedrop_period(
@@ -228,9 +239,14 @@
 	struct msm_vfe_stats_stream_release_cmd *stream_release_cmd = arg;
 	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;
 	int stats_idx = STATS_IDX(stream_release_cmd->stream_handle);
-	struct msm_vfe_stats_stream *stream_info =
-		&stats_data->stream_info[stats_idx];
+	struct msm_vfe_stats_stream *stream_info = NULL;
 
+	if (stats_idx > MSM_ISP_STATS_MAX) {
+		pr_err("%s: Stats idx Error\n", __func__);
+		return rc;
+	}
+
+	stream_info = &stats_data->stream_info[stats_idx];
 	if (stream_info->state == STATS_AVALIABLE) {
 		pr_err("%s: stream already release\n", __func__);
 		return rc;