[PATCH] media: go7007: avoid undefined shifts in MPEG-4 headers

From: Yousef Alhouseen

Date: Tue Jun 30 2026 - 06:56:44 EST


The byte-alignment paths can call CODE_ADD() with a zero bit
length. The macro then shifts an int by name.b, which can be 32
after the preceding bit was flushed.

vti_bitlen() can likewise shift a signed int into its sign bit while
searching for the bit length, and the package mask construction can
shift by the full type width.

Make zero-length additions a no-op, derive the bit length with fls(),
and build the mask with GENMASK().

Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/media/usb/go7007/go7007-fw.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/drivers/media/usb/go7007/go7007-fw.c b/drivers/media/usb/go7007/go7007-fw.c
index 86ce593e0c54..8cf959c20e30 100644
--- a/drivers/media/usb/go7007/go7007-fw.c
+++ b/drivers/media/usb/go7007/go7007-fw.c
@@ -13,6 +13,7 @@
*/

#include <linux/module.h>
+#include <linux/bitops.h>
#include <linux/time.h>
#include <linux/mm.h>
#include <linux/device.h>
@@ -58,14 +59,16 @@ struct code_gen {
#define CODE_GEN(name, dest) struct code_gen name = { dest, 0, 32, 0 }

#define CODE_ADD(name, val, length) do { \
- name.b -= (length); \
- name.a |= (val) << name.b; \
- while (name.b <= 24) { \
- *name.p = name.a >> 24; \
- ++name.p; \
- name.a <<= 8; \
- name.b += 8; \
- name.len += 8; \
+ if (length) { \
+ name.b -= (length); \
+ name.a |= (val) << name.b; \
+ while (name.b <= 24) { \
+ *name.p = name.a >> 24; \
+ ++name.p; \
+ name.a <<= 8; \
+ name.b += 8; \
+ name.len += 8; \
+ } \
} \
} while (0)

@@ -707,11 +710,10 @@ static int gen_mpeg1hdr_to_package(struct go7007 *go,

static int vti_bitlen(struct go7007 *go)
{
- unsigned int i, max_time_incr = go->sensor_framerate / go->fps_scale;
+ unsigned int max_time_incr = go->sensor_framerate / go->fps_scale;
+ int bitlen = fls(max_time_incr);

- for (i = 31; (max_time_incr & ((1 << i) - 1)) == max_time_incr; --i)
- ;
- return i + 1;
+ return bitlen ?: 1;
}

static int mpeg4_frame_header(struct go7007 *go, unsigned char *buf,
@@ -1209,7 +1211,7 @@ static int seqhead_to_package(struct go7007 *go, __le16 *code, int space,
0xbf08, fps,
0xbf09, 0,
0xbff2, vop_time_increment_bitlength,
- 0xbff3, (1 << vop_time_increment_bitlength) - 1,
+ 0xbff3, GENMASK(vop_time_increment_bitlength - 1, 0),
0xbfe6, 0,
0xbfe7, (fps / 1000) << 8,
0, 0,
--
2.54.0