video: tegra: host: fix possible overflow with num_syncpt_incrs
authorDeepak Nibade <dnibade@nvidia.com>
Mon, 27 Jun 2016 08:33:15 +0000 (13:33 +0530)
committerWinnie Hsu <whsu@nvidia.com>
Fri, 29 Jul 2016 05:58:59 +0000 (22:58 -0700)
commitbc15da6c6fc2f50109e866fe053b035721a23c3a
tree017a46a77372e2a9d064bfa53b7fc92675b28587
parent9a1e9a92e975274f4b3507922b7ab4805defe975
video: tegra: host: fix possible overflow with num_syncpt_incrs

We allocate below without checking if num_syncpt_incrs
is valid or not
struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs];

If UMD passes a negative value in num_syncpt_incrs, then
it is possible to corrupt the stack

Hence, first check if num_syncpt_incrs is valid (i.e.
not negative)
And then allocate the array dynamically using kzalloc
instead of allocating it on stack

Bug 1781393

Change-Id: I5389fd271149b457f63831a41c104c9814299ddf
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171747
(cherry picked from commit 07fb347b4060a888b19df3524f36fcf7974a79d1)
Reviewed-on: http://git-master/r/1172518
(cherry picked from commit 1db2d69b6abeb6fc9d4257db88f631d9c8aef74d)
Reviewed-on: http://git-master/r/1190211
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
drivers/video/tegra/host/bus_client.c