[media] cx25821: Is there a potential buffer-underflow in cx25821-core.c?

From: Tuo Li
Date: Thu Aug 12 2021 - 00:21:45 EST

Next message: Viresh Kumar: "Re: [PATCH V2 9/9] cpufreq: scmi: Use .register_em() callback"
Previous message: Barry Song: "Re: [PATCH] platform-msi: Add ABI to show msi_irqs of platform devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Our static analysis tool reports a possible buffer-underflow in cx25821-core.c in Linux 5.14.0-rc3:

The variable channel_select is checked in:
761:    if (channel_select <= 7 && channel_select >= 0)

This indicates that channel_select can be negative.
If so, a buffer-underflow will occur:
765:    dev->channels[channel_select].pixel_formats = format;

However, we checked this report manually, and found that the only call site is in cx25821-video.c:
394:    cx25821_set_pixel_format(dev, SRAM_CH00, pix_format);

And SRAM_CH00 is not negative.

I am not sure whether this negatvie-check is redundant or there is a potential buffer-underflow.
Any feedback would be appreciated, thanks!

Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>

Best wishes,
Tuo Li

Next message: Viresh Kumar: "Re: [PATCH V2 9/9] cpufreq: scmi: Use .register_em() callback"
Previous message: Barry Song: "Re: [PATCH] platform-msi: Add ABI to show msi_irqs of platform devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]