From 45dbb6c0cde224cb333d62a9111c264367d27df2 Mon Sep 17 00:00:00 2001
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Date: Fri, 30 Jul 2021 05:22:31 +0000
Subject: [PATCH] msm: camera: ife: Add ife num outport bound checks

Variable num_ports is provided by userspace, it it used to index
res_list_isp_out. Big num_ports value can cause out of bound read.

Bound check num_ports, to prevent OOB read.

CRs-Fixed: 3056360
Change-Id: I86b6cf0419c68af1f510ce166e4964e177367eaf
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
---
 .../isp_hw_mgr/hw_utils/cam_isp_packet_parser.c    | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/drivers/cam_isp/isp_hw_mgr/hw_utils/cam_isp_packet_parser.c b/drivers/cam_isp/isp_hw_mgr/hw_utils/cam_isp_packet_parser.c
index 09b0cdb0e881..7357cfd9f77b 100644
--- a/drivers/cam_isp/isp_hw_mgr/hw_utils/cam_isp_packet_parser.c
+++ b/drivers/cam_isp/isp_hw_mgr/hw_utils/cam_isp_packet_parser.c
@@ -124,6 +124,12 @@ static int cam_isp_update_dual_config(
 	cpu_addr += (cmd_desc->offset / 4);
 	dual_config = (struct cam_isp_dual_config *)cpu_addr;
 
+	if (dual_config->num_ports > size_isp_out) {
+		CAM_ERR(CAM_ISP, "num_ports %d more than max_vfe_out_res %d",
+			dual_config->num_ports, size_isp_out);
+		return -EINVAL;
+	}
+
 	if ((dual_config->num_ports *
 		sizeof(struct cam_isp_dual_stripe_config)) >
 		(remain_len - offsetof(struct cam_isp_dual_config, stripes))) {
@@ -132,14 +138,6 @@ static int cam_isp_update_dual_config(
 	}
 	for (i = 0; i < dual_config->num_ports; i++) {
 
-		if (i >= CAM_ISP_IFE_OUT_RES_BASE + size_isp_out) {
-			CAM_ERR(CAM_ISP,
-				"failed update for i:%d > size_isp_out:%d",
-				i, size_isp_out);
-			rc = -EINVAL;
-			goto end;
-		}
-
 		hw_mgr_res = &res_list_isp_out[i];
 		if (!hw_mgr_res) {
 			CAM_ERR(CAM_ISP,