Re: [PATCH] [media] s3c-camif: fix out-of-bounds array access

From: Sylwester Nawrocki
Date: Wed Sep 13 2017 - 11:54:59 EST

Next message: Palmer Dabbelt: "Re: [PATCH v8 01/18] MAINTAINERS: Add RISC-V"
Previous message: Liam R. Howlett: "Re: [RFC Patch 1/1] mm/hugetlb: Clarify OOM message on size of hugetlb and requested hugepages total"
In reply to: Arnd Bergmann: "Re: [PATCH] [media] s3c-camif: fix out-of-bounds array access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 09/13/2017 04:03 PM, Arnd Bergmann wrote:

On Wed, Sep 13, 2017 at 11:25 AM, Sylwester Nawrocki
<s.nawrocki@xxxxxxxxxxx> wrote:

On 09/12/2017 10:09 PM, Arnd Bergmann wrote:

{
const struct s3c_camif_variant *variant = camif->variant;
const struct vp_pix_limits *pix_lim;
- int i = ARRAY_SIZE(camif_mbus_formats);

/* FIXME: constraints against codec or preview path ? */
pix_lim = &variant->vp_pix_limits[VP_CODEC];

- while (i-- >= 0)
- if (camif_mbus_formats[i] == mf->code)
- break;
-
- mf->code = camif_mbus_formats[i];

Interesting finding... the function needs to ensure mf->code is set
to one of supported values by the driver, so instead of removing
how about changing the above line to:

if (i < 0)
mf->code = camif_mbus_formats[0];

?

That would still have one of the two out-of-bounds accesses;-)

Ah, indeed :/

maybe this

for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
if (camif_mbus_formats[i] == mf->code)
break;

if (i == ARRAY_SIZE(camif_mbus_formats))
mf->code = camif_mbus_formats[0];

Yes, it should work that way.

--
Thanks,
Sylwester

Next message: Palmer Dabbelt: "Re: [PATCH v8 01/18] MAINTAINERS: Add RISC-V"
Previous message: Liam R. Howlett: "Re: [RFC Patch 1/1] mm/hugetlb: Clarify OOM message on size of hugetlb and requested hugepages total"
In reply to: Arnd Bergmann: "Re: [PATCH] [media] s3c-camif: fix out-of-bounds array access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]