Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

msm: mdss: check the length of the external input buffer properly 

dchdr->dlen is a short variable controlled by the user-provided data
(a string). If the value is negative, the condition does not pass
and loop continues, also increasing the value of "len". As a result
buffer overflow and overwrite occurs.

Change-Id: I5eacec446c9a8b5b82fc3bc6d1281303f336d4de
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
This commit is contained in:
Ashish Garg 2017-09-14 13:13:16 +05:30 committed by Gerrit - the friendly Code Review server
parent f48ed0afc6
commit b26399f539
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/video/msm/mdss/mdss_dsi.c
View File

@ -858,7 +858,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
while (len >= sizeof(*dchdr)) {
dchdr = (struct dsi_ctrl_hdr *)bp;
dchdr->dlen = ntohs(dchdr->dlen);
if (dchdr->dlen > len) {
if (dchdr->dlen > len || dchdr->dlen < 0) {
pr_err("%s: dtsi cmd=%x error, len=%d\n",
__func__, dchdr->dtype, dchdr->dlen);
kfree(buf);