[RAMEN9610-10029][COMMON] media: mfc: fix Out-of-Bound defect

This adds to check the size of copy_from_user().

Change-Id: Icb869f2906881889305beea6b4fb3bbd9ef14f08
Signed-off-by: Sunyoung Kang <sy0816.kang@samsung.com>

diff --git a/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c b/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c
index 91d1107f8df552250cc448fe62b2aba4c98e1e8d..e64ce08206c564da06734f2cccde80ef6c8989f1 100644 (file)
--- a/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c
+++ b/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c
@@ -1908,6 +1908,11 @@ static int __mfc_enc_set_ctrl_val(struct mfc_ctx *ctx, struct v4l2_control *ctrl
                                        memcpy(&enc->roi_info[index],
                                                        enc->sh_handle_roi.vaddr,
                                                        sizeof(struct mfc_enc_roi_info));
+                                       if (enc->roi_info[index].size > enc->roi_buf[index].size) {
+                                               mfc_err_ctx("[MEMINFO][ROI] roi info size %d is over\n",
+                                                       enc->roi_info[index].size);
+                                               return -EINVAL;
+                                       }
                                        if (copy_from_user(enc->roi_buf[index].vaddr,
                                                        enc->roi_info[index].addr,
                                                        enc->roi_info[index].size))