[RAMEN9610-10029][COMMON] media: mfc: fix Out-of-Bound defect

author Sunyoung Kang <sy0816.kang@samsung.com>

Wed, 24 Oct 2018 08:04:59 +0000 (17:04 +0900)

committer hskang <hs1218.kang@samsung.com>

Fri, 28 Dec 2018 09:54:00 +0000 (18:54 +0900)
author Sunyoung Kang <sy0816.kang@samsung.com>
Wed, 24 Oct 2018 08:04:59 +0000 (17:04 +0900)
committer hskang <hs1218.kang@samsung.com>
Fri, 28 Dec 2018 09:54:00 +0000 (18:54 +0900)
diff --git a/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c b/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c

index 91d1107f8df552250cc448fe62b2aba4c98e1e8d..e64ce08206c564da06734f2cccde80ef6c8989f1 100644 (file)
--- a/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c
+++ b/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c
@@ -1908,6 +1908,11 @@ static int __mfc_enc_set_ctrl_val(struct mfc_ctx *ctx, struct v4l2_control *ctrl
                                         memcpy(&enc->roi_info[index],
                                                         enc->sh_handle_roi.vaddr,
                                                         sizeof(struct mfc_enc_roi_info));
+                                       if (enc->roi_info[index].size > enc->roi_buf[index].size) {
+                                               mfc_err_ctx("[MEMINFO][ROI] roi info size %d is over\n",
+                                                       enc->roi_info[index].size);
+                                               return -EINVAL;
+                                       }
                                         if (copy_from_user(enc->roi_buf[index].vaddr,
                                                         enc->roi_info[index].addr,
                                                         enc->roi_info[index].size))
author	Sunyoung Kang <sy0816.kang@samsung.com>
	Wed, 24 Oct 2018 08:04:59 +0000 (17:04 +0900)
committer	hskang <hs1218.kang@samsung.com>
	Fri, 28 Dec 2018 09:54:00 +0000 (18:54 +0900)