Re: [PATCH v4 4/6] media: chips-media: wave5: Add range checks for dec_output_info
From: Nicolas Dufresne
Date: Thu May 07 2026 - 19:28:13 EST
Le jeudi 07 mai 2026 à 20:58 +0000, Ricardo Ribalda a écrit :
> If the driver's dec_output_info contains invalid data the driver can
> write in invalid memory. Add a range check for that.
>
> This fixes this smatch error:
> drivers/media/platform/chips-media/wave5/wave5-vpuapi.c:588
> wave5_vpu_dec_get_output_info() error: buffer overflow 'inst->frame_buf' 64 <=
> 127
>
> Signed-off-by: Ricardo Ribalda <ribalda@xxxxxxxxxxxx>
It theoretical, but considering its a warn_on, I'm fine with it.
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@xxxxxxxxxxxxx>
> ---
> drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
> b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
> index d26ffc942219..f77abd5e122a 100644
> --- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
> +++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
> @@ -584,8 +584,15 @@ int wave5_vpu_dec_get_output_info(struct vpu_instance
> *inst, struct dec_output_i
> p_dec_info->num_of_decoding_fbs : p_dec_info-
> >num_of_display_fbs;
>
> if (info->index_frame_display >= 0 &&
> - info->index_frame_display < (int)max_dec_index)
> - info->disp_frame = inst->frame_buf[val + info-
> >index_frame_display];
> + info->index_frame_display < (int)max_dec_index) {
> + u32 idx = val + info->index_frame_display;
> +
> + if (WARN_ON(idx >= MAX_REG_FRAME)) {
> + ret = -EINVAL;
> + goto err_out;
> + }
> + info->disp_frame = inst->frame_buf[idx];
> + }
>
> info->rd_ptr = p_dec_info->stream_rd_ptr;
> info->wr_ptr = p_dec_info->stream_wr_ptr;
Attachment:
signature.asc
Description: This is a digitally signed message part