From: Sunyoung Kang <sy0816.kang@samsung.com>
Date: Wed, 24 Oct 2018 08:04:59 +0000 (+0900)
Subject: [RAMEN9610-10029][COMMON] media: mfc: fix Out-of-Bound defect
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=38aa413f2e96ac1f09878538ec9bf082cc3207d6;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git

[RAMEN9610-10029][COMMON] media: mfc: fix Out-of-Bound defect

This adds to check the size of copy_from_user().

Change-Id: Icb869f2906881889305beea6b4fb3bbd9ef14f08
Signed-off-by: Sunyoung Kang <sy0816.kang@samsung.com>
---

diff --git a/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c b/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c
index 91d1107f8df5..e64ce08206c5 100644
--- a/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c
+++ b/drivers/media/platform/exynos/mfc/mfc_enc_v4l2.c
@@ -1908,6 +1908,11 @@ static int __mfc_enc_set_ctrl_val(struct mfc_ctx *ctx, struct v4l2_control *ctrl
 					memcpy(&enc->roi_info[index],
 							enc->sh_handle_roi.vaddr,
 							sizeof(struct mfc_enc_roi_info));
+					if (enc->roi_info[index].size > enc->roi_buf[index].size) {
+						mfc_err_ctx("[MEMINFO][ROI] roi info size %d is over\n",
+							enc->roi_info[index].size);
+						return -EINVAL;
+					}
 					if (copy_from_user(enc->roi_buf[index].vaddr,
 							enc->roi_info[index].addr,
 							enc->roi_info[index].size))