[PATCH] media: mali-c55: fix integer overflow in scaler factor calculation

Next message: Mikko Perttunen: "[PATCH v5 4/7] pwm: tegra: Modify read/write accessors for multi-register channel"
Previous message: Mikko Perttunen: "[PATCH v5 1/7] dt-bindings: pwm: Document Tegra264 controller"
Next in thread: David Carlier: "[PATCH v2] media: mali-c55: fix integer overflow in scaler factor calculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Carlier

Date: Thu May 28 2026 - 22:48:25 EST

The scaling factors are computed by multiplying the crop dimension by
the Q4.20 unit (1 << 20) and dividing by the output dimension. The
results are stored in u64, but both operands are 32-bit, so the product
is evaluated in 32-bit arithmetic and only widened afterwards.

Crop dimensions may be up to 8192. Once a dimension reaches 4096 the
product overflows 32 bits and wraps (zero at exactly 4096), programming
a corrupted scaling increment and corrupting the downscaled output.

Define the fixed-point unit as unsigned long long so the multiplication
is done in 64-bit arithmetic.

Fixes: d5f281f3dd29 ("media: mali-c55: Add Mali-C55 ISP driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: David Carlier <devnexen@xxxxxxxxx>
---
drivers/media/platform/arm/mali-c55/mali-c55-resizer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/arm/mali-c55/mali-c55-resizer.c b/drivers/media/platform/arm/mali-c55/mali-c55-resizer.c
index c4f46651dcee..182a1b19def4 100644
--- a/drivers/media/platform/arm/mali-c55/mali-c55-resizer.c
+++ b/drivers/media/platform/arm/mali-c55/mali-c55-resizer.c
@@ -15,7 +15,7 @@
#include "mali-c55-registers.h"

/* Scaling factor in Q4.20 format. */
-#define MALI_C55_RSZ_SCALER_FACTOR (1U << 20)
+#define MALI_C55_RSZ_SCALER_FACTOR (1ULL << 20)

#define MALI_C55_RSZ_COEFS_BANKS 8
#define MALI_C55_RSZ_COEFS_ENTRIES 64
--
2.53.0