Google Git
Sign in
android / kernel / msm / 722e6f3ffdb6630324d1e841a8b6dddb2ad41964^! / .
commit722e6f3ffdb6630324d1e841a8b6dddb2ad41964[log] [tgz]
authorPachika, Vikas Reddy <vpachi@codeaurora.org>Fri Nov 01 21:06:37 2013 +0530
committerVenkat Arcot <venkat@motorola.com>Mon Jun 27 13:37:52 2016 -0500
treee7e50b87fe80eb2be4fb855ff18066cb9f9d2058
parent3c5f5bb8976464430656cd00afe75d2865143d10 [diff]
msm: vidc: Validate userspace buffer count.

Makesure the number of buffers count is less than
the maximum limit to avoid structure overflow errors.

Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31
CRs-fixed: 563694
Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
Signed-off-by: Sivasri Kumar Vanka <sivasri@codeaurora.org>

Conflicts:
	include/media/msm/vidc_init.h

diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
index 175947f..0958e07 100755
--- a/drivers/video/msm/vidc/common/dec/vdec.c
+++ b/drivers/video/msm/vidc/common/dec/vdec.c

@@ -1110,6 +1110,12 @@
 	vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd;
 	vcd_h264_mv_buffer->offset = mv_data->offset;
 
+	if (mv_data->count > MAX_MV_BUFFERS) {
+		ERR("MV buffers maximum count reached, count = %d",
+			mv_data->count);
+		return false;
+	}
+
 	if (!vcd_get_ion_status()) {
 		pr_err("PMEM not available\n");
 		return false;

diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h
new file mode 100644
index 0000000..9c9a270
--- /dev/null
+++ b/include/media/msm/vidc_init.h

@@ -0,0 +1,112 @@
+/* Copyright (c) 2010-2012, The Linux Foundation. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 and
+ * only version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ */
+
+#ifndef VIDC_INIT_H
+#define VIDC_INIT_H
+#include <linux/msm_ion.h>
+#include <media/msm/vidc_type.h>
+#include <media/msm/vcd_property.h>
+
+#define VIDC_MAX_NUM_CLIENTS 4
+#define MAX_VIDEO_NUM_OF_BUFF 100
+#define MAX_META_BUFFERS 32
+#define MAX_MV_BUFFERS 32
+
+enum buffer_dir {
+	BUFFER_TYPE_INPUT,
+	BUFFER_TYPE_OUTPUT
+};
+
+struct buf_addr_table {
+	unsigned long user_vaddr;
+	unsigned long kernel_vaddr;
+	unsigned long phy_addr;
+	unsigned long buff_ion_flag;
+	struct ion_handle *buff_ion_handle;
+	int pmem_fd;
+	struct file *file;
+	unsigned long dev_addr;
+	void *client_data;
+};
+
+struct meta_buffer_addr_table {
+	u8 *kernel_vir_addr;
+	u8 *kernel_vir_addr_iommu;
+};
+
+struct video_client_ctx {
+	void *vcd_handle;
+	u32 num_of_input_buffers;
+	u32 num_of_output_buffers;
+	struct buf_addr_table input_buf_addr_table[MAX_VIDEO_NUM_OF_BUFF];
+	struct buf_addr_table output_buf_addr_table[MAX_VIDEO_NUM_OF_BUFF];
+	struct list_head msg_queue;
+	struct mutex msg_queue_lock;
+	struct mutex enrty_queue_lock;
+	wait_queue_head_t msg_wait;
+	struct completion event;
+	struct vcd_property_h264_mv_buffer vcd_h264_mv_buffer;
+	struct vcd_property_meta_buffer vcd_meta_buffer;
+	struct vcd_property_enc_recon_buffer recon_buffer[4];
+	u32 event_status;
+	u32 seq_header_set;
+	u32 stop_msg;
+	u32 stop_called;
+	u32 stop_sync_cb;
+	size_t meta_buf_size;
+	struct ion_client *user_ion_client;
+	struct ion_handle *seq_hdr_ion_handle;
+	struct ion_handle *h264_mv_ion_handle;
+	struct ion_handle *recon_buffer_ion_handle[4];
+	struct ion_handle *meta_buffer_ion_handle;
+	struct ion_handle *meta_buffer_iommu_ion_handle;
+	u32 dmx_disable;
+	struct meta_buffer_addr_table meta_addr_table[MAX_META_BUFFERS];
+};
+
+void __iomem *vidc_get_ioaddr(void);
+int vidc_load_firmware(void);
+void vidc_release_firmware(void);
+u32 vidc_get_fd_info(struct video_client_ctx *client_ctx,
+		enum buffer_dir buffer, int pmem_fd,
+		unsigned long kvaddr, int index,
+		struct ion_handle **buff_handle);
+u32 vidc_lookup_addr_table(struct video_client_ctx *client_ctx,
+	enum buffer_dir buffer, u32 search_with_user_vaddr,
+	unsigned long *user_vaddr, unsigned long *kernel_vaddr,
+	unsigned long *phy_addr, int *pmem_fd, struct file **file,
+	s32 *buffer_index);
+u32 vidc_insert_addr_table(struct video_client_ctx *client_ctx,
+	enum buffer_dir buffer, unsigned long user_vaddr,
+	unsigned long *kernel_vaddr, int pmem_fd,
+	unsigned long buffer_addr_offset,
+	unsigned int max_num_buffers, unsigned long length);
+u32 vidc_insert_addr_table_kernel(struct video_client_ctx *client_ctx,
+	enum buffer_dir buffer, unsigned long user_vaddr,
+	unsigned long kernel_vaddr, unsigned long phys_addr,
+	unsigned int max_num_buffers,
+	unsigned long length);
+u32 vidc_delete_addr_table(struct video_client_ctx *client_ctx,
+	enum buffer_dir buffer, unsigned long user_vaddr,
+	unsigned long *kernel_vaddr);
+void vidc_cleanup_addr_table(struct video_client_ctx *client_ctx,
+		enum buffer_dir buffer);
+
+u32 vidc_timer_create(void (*timer_handler)(void *),
+	void *user_data, void **timer_handle);
+void  vidc_timer_release(void *timer_handle);
+void  vidc_timer_start(void *timer_handle, u32 time_out);
+void  vidc_timer_stop(void *timer_handle);
+
+
+#endif