media: venus: hfi: fix the check to handle session buffer requirement

Buffer requirement, for different buffer type, comes from video firmware.
While copying these requirements, there is an OOB possibility when the
payload from firmware is more than expected size. Fix the check to avoid
the OOB possibility.

Cc: stable@vger.kernel.org
Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
Reviewed-by: Nathan Hebert <nhebert@chromium.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c
index 7cab685a2ec804e0cf2a1dbc54df47eeceb49fcc..0a041b4db9efc549621de07dd13b4a3a37a70d11 100644 (file)
--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
+++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
@@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt,
                memcpy(&bufreq[idx], buf_req, sizeof(*bufreq));
                idx++;
 
-               if (idx > HFI_BUFFER_TYPE_MAX)
+               if (idx >= HFI_BUFFER_TYPE_MAX)
                        return HFI_ERR_SESSION_INVALID_PARAMETER;
 
                req_bytes -= sizeof(struct hfi_buffer_requirements);