[PATCH v2 4/6] media: chips-media: wave5: Add range checks for dec_output_info

Next message: Mostafa Saleh: "[PATCH v6 24/25] iommu/arm-smmu-v3-kvm: Enable nesting"
Previous message: Mostafa Saleh: "[PATCH v6 25/25] KVM: arm64: Add documentation for pKVM DMA isolation"
In reply to: Ricardo Ribalda: "[PATCH v2 0/6] media: Fix new smatch warnings"
Next in thread: Ricardo Ribalda: "[PATCH v2 5/6] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ricardo Ribalda

Date: Fri May 01 2026 - 07:33:13 EST

If the driver's dec_output_info contains invalid data the driver can
write in invalid memory. Add a range check for that.

This fixes this smatch error:
drivers/media/platform/chips-media/wave5/wave5-vpuapi.c:588 wave5_vpu_dec_get_output_info() error: buffer overflow 'inst->frame_buf' 64 <= 127

Signed-off-by: Ricardo Ribalda <ribalda@xxxxxxxxxxxx>
---
drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
index d26ffc942219..f77abd5e122a 100644
--- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
@@ -584,8 +584,15 @@ int wave5_vpu_dec_get_output_info(struct vpu_instance *inst, struct dec_output_i
p_dec_info->num_of_decoding_fbs : p_dec_info->num_of_display_fbs;

if (info->index_frame_display >= 0 &&
- info->index_frame_display < (int)max_dec_index)
- info->disp_frame = inst->frame_buf[val + info->index_frame_display];
+ info->index_frame_display < (int)max_dec_index) {
+ u32 idx = val + info->index_frame_display;
+
+ if (WARN_ON(idx >= MAX_REG_FRAME)) {
+ ret = -EINVAL;
+ goto err_out;
+ }
+ info->disp_frame = inst->frame_buf[idx];
+ }

info->rd_ptr = p_dec_info->stream_rd_ptr;
info->wr_ptr = p_dec_info->stream_wr_ptr;

--
2.54.0.545.g6539524ca2-goog