tegra:nvavp: Fix buffer overflow issue
Praveen Kumar Reddy M.V [Mon, 13 Jun 2016 11:38:32 +0000 (16:38 +0530)]
Fixed possible buffer overflow issue in func
nvavp_pushbuffer_update().

Bug 1774401

Change-Id: Id0dec1cbf91d492335d0809c3c0bf146f6cb9d3d
Signed-off-by: Praveen Kumar Reddy M.V. <pkreddy@nvidia.com>
Reviewed-on: http://git-master/r/1163365
(cherry picked from commit 1e9ba50b225e841b52a93503fce818c1a21100f7)
Reviewed-on: http://git-master/r/1164130
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

drivers/media/platform/tegra/nvavp/nvavp_dev.c

index 843ea33..05c5f99 100644 (file)
@@ -871,6 +871,7 @@ static int nvavp_pushbuffer_update(struct nvavp_info *nvavp, u32 phys_addr,
        u32 wordcount = 0;
        u32 index, value = -1;
        int ret = 0;
+       u32 max_index = 0;
 
        mutex_lock(&nvavp->open_lock);
        nvavp_runtime_get(nvavp);
@@ -885,7 +886,9 @@ static int nvavp_pushbuffer_update(struct nvavp_info *nvavp, u32 phys_addr,
        mutex_lock(&channel_info->pushbuffer_lock);
 
        /* check for pushbuffer wrapping */
-       if (channel_info->pushbuf_index >= channel_info->pushbuf_fence)
+       max_index = channel_info->pushbuf_fence;
+       max_index = ext_ucode_flag ? max_index : max_index - (sizeof(u32) * 4);
+       if (channel_info->pushbuf_index >= max_index)
                channel_info->pushbuf_index = 0;
 
        if (!ext_ucode_flag) {