Skip to content

Commit

Permalink
media: venus: hfi: add checks to handle capabilities from firmware
Browse files Browse the repository at this point in the history 
commit 8d0b893 upstream.

The hfi parser, parses the capabilities received from venus firmware and
copies them to core capabilities. Consider below api, for example,
fill_caps - In this api, caps in core structure gets updated with the
number of capabilities received in firmware data payload. If the same api
is called multiple times, there is a possibility of copying beyond the max
allocated size in core caps.
Similar possibilities in fill_raw_fmts and fill_profile_level functions.

Cc: stable@vger.kernel.org
Fixes: 1a73374 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
@Vikash-Garodia @gregkh
Vikash-Garodia authored and gregkh committed Nov 28, 2023
1 parent bc3ade7 commit da2617b
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions drivers/media/platform/qcom/venus/hfi_parser.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,9 @@ static void fill_profile_level(struct hfi_plat_caps *cap, const void *data,
{
const struct hfi_profile_level *pl = data;

if (cap->num_pl + num >= HFI_MAX_PROFILE_COUNT)
return;

memcpy(&cap->pl[cap->num_pl], pl, num * sizeof(*pl));
cap->num_pl += num;
}
Expand All @@ -114,6 +117,9 @@ fill_caps(struct hfi_plat_caps *cap, const void *data, unsigned int num)
{
const struct hfi_capability *caps = data;

if (cap->num_caps + num >= MAX_CAP_ENTRIES)
return;

memcpy(&cap->caps[cap->num_caps], caps, num * sizeof(*caps));
cap->num_caps += num;
}
Expand All @@ -140,6 +146,9 @@ static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts,
{
const struct raw_formats *formats = fmts;

if (cap->num_fmts + num_fmts >= MAX_FMT_ENTRIES)
return;

memcpy(&cap->fmts[cap->num_fmts], formats, num_fmts * sizeof(*formats));
cap->num_fmts += num_fmts;
}
Expand All @@ -162,6 +171,9 @@ parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
rawfmts[i].buftype = fmt->buffer_type;
i++;

if (i >= MAX_FMT_ENTRIES)
return;

if (pinfo->num_planes > MAX_PLANES)
break;

Expand Down

0 comments on commit da2617b

Please sign in to comment.