media: mfc: add refcnt condition check to avoid OOB

Bug: 321712082 Change-Id: I220454ff345f07ed0ef10fb8937cc66e64de7f19 Signed-off-by: Seungchul Kim <sc377.kim@samsung.com>
author: Seungchul Kim <sc377.kim@samsung.com> 2024-03-05 11:54:44 +0900
committer: Wen Chang Liu <wenchangliu@google.com> 2024-03-05 09:31:09 +0000
commit: 548b226108d27a85d77e7d15b240ea7b06c8bc9e (patch)
tree: 6ea873074242e1abfa1ffc270881c99ef1cd8bd1
parent: 388db6efa004d2fdbbcfd13958197a2641c723b0 (diff)
download: gs-548b226108d27a85d77e7d15b240ea7b06c8bc9e.tar.gz
2 files changed, 16 insertions, 8 deletions
diff --git a/drivers/media/platform/exynos/mfc/mfc_core_isr.c b/drivers/media/platform/exynos/mfc/mfc_core_isr.c
index 16278f9a7..6be29e4ca 100644
--- a/drivers/media/platform/exynos/mfc/mfc_core_isr.c
+++ b/drivers/media/platform/exynos/mfc/mfc_core_isr.c
@@ -195,7 +195,8 @@ static void __mfc_handle_frame_unused_output(struct mfc_core *core, struct mfc_c
 				UNUSED_TAG);
 
 		dec->ref_buf[dec->refcnt].fd[0] = mfc_buf->vb.vb2_buf.planes[0].m.fd;
-		dec->refcnt++;
+		if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+			dec->refcnt++;
 
 		vb2_buffer_done(&mfc_buf->vb.vb2_buf, VB2_BUF_STATE_DONE);
 		mfc_debug(2, "[DPB] dst index [%d][%d] fd: %d is buffer done (not used)\n",
@@ -595,7 +596,8 @@ static void __mfc_handle_released_buf(struct mfc_core *core, struct mfc_ctx *ctx
 			dec->dpb[i].ref = 0;
 			if (dec->dpb[i].queued && (dec->dpb[i].new_fd != -1)) {
 				dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-				dec->refcnt++;
+				if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+					dec->refcnt++;
 				mfc_debug(3, "[REFINFO] Queued DPB[%d] released fd: %d\n",
 						i, dec->dpb[i].fd[0]);
 				dec->dpb[i].fd[0] = dec->dpb[i].new_fd;
@@ -604,7 +606,8 @@ static void __mfc_handle_released_buf(struct mfc_core *core, struct mfc_ctx *ctx
 						i, dec->dpb[i].fd[0]);
 			} else if (!dec->dpb[i].queued) {
 				dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-				dec->refcnt++;
+				if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+					dec->refcnt++;
 				mfc_debug(3, "[REFINFO] Dqueued DPB[%d] released fd: %d\n",
 						i, dec->dpb[i].fd[0]);
 				/*
@@ -630,7 +633,8 @@ static void __mfc_handle_released_buf(struct mfc_core *core, struct mfc_ctx *ctx
 		if (!(dec->dynamic_used & (1UL << i)) && dec->dpb[i].mapcnt
 				&& !dec->dpb[i].queued) {
 			dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-			dec->refcnt++;
+			if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+				dec->refcnt++;
 			mfc_debug(3, "[REFINFO] display DPB[%d] released fd: %d\n",
 					i, dec->dpb[i].fd[0]);
 			dec->dpb_table_used &= ~(1UL << i);
diff --git a/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c b/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c
index 30b3a633e..f100fa2dc 100644
--- a/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c
+++ b/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c
@@ -1746,7 +1746,8 @@ static void __mfc_core_nal_q_handle_frame_unused_output(struct mfc_ctx *ctx,
 				UNUSED_TAG);
 
 		dec->ref_buf[dec->refcnt].fd[0] = mfc_buf->vb.vb2_buf.planes[0].m.fd;
-		dec->refcnt++;
+		if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+			dec->refcnt++;
 
 		vb2_buffer_done(&mfc_buf->vb.vb2_buf, VB2_BUF_STATE_DONE);
 		mfc_debug(2, "[NALQ][DPB] dst index [%d][%d] fd: %d is buffer done (not used)\n",
@@ -2207,7 +2208,8 @@ static void __mfc_core_nal_q_handle_released_buf(struct mfc_core *core, struct m
 			dec->dpb[i].ref = 0;
 			if (dec->dpb[i].queued && (dec->dpb[i].new_fd != -1)) {
 				dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-				dec->refcnt++;
+				if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+					dec->refcnt++;
 				mfc_debug(3, "[NALQ][REFINFO] Queued DPB[%d] released fd: %d\n",
 						i, dec->dpb[i].fd[0]);
 				dec->dpb[i].fd[0] = dec->dpb[i].new_fd;
@@ -2216,7 +2218,8 @@ static void __mfc_core_nal_q_handle_released_buf(struct mfc_core *core, struct m
 						i, dec->dpb[i].fd[0]);
 			} else if (!dec->dpb[i].queued) {
 				dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-				dec->refcnt++;
+				if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+					dec->refcnt++;
 				mfc_debug(3, "[NALQ][REFINFO] Dqueued DPB[%d] released fd: %d\n",
 						i, dec->dpb[i].fd[0]);
 				/*
@@ -2242,7 +2245,8 @@ static void __mfc_core_nal_q_handle_released_buf(struct mfc_core *core, struct m
 		if (!(dec->dynamic_used & (1UL << i)) && dec->dpb[i].mapcnt
 				&& !dec->dpb[i].queued) {
 			dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-			dec->refcnt++;
+			if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+				dec->refcnt++;
 			mfc_debug(3, "[NALQ][REFINFO] display DPB[%d] released fd: %d\n",
 					i, dec->dpb[i].fd[0]);
 			dec->dpb_table_used &= ~(1UL << i);
author	Seungchul Kim <sc377.kim@samsung.com>	2024-03-05 11:54:44 +0900
committer	Wen Chang Liu <wenchangliu@google.com>	2024-03-05 09:31:09 +0000
commit	548b226108d27a85d77e7d15b240ea7b06c8bc9e (patch)
tree	6ea873074242e1abfa1ffc270881c99ef1cd8bd1
parent	388db6efa004d2fdbbcfd13958197a2641c723b0 (diff)
download	gs-548b226108d27a85d77e7d15b240ea7b06c8bc9e.tar.gz