| Message ID | 20180525131239.45exrwgxr2f3kb57@kili.mountain (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Delegated to: | Hans Verkuil |
| Headers |
Received: from vger.kernel.org ([209.132.180.67]) by www.linuxtv.org with esmtp (Exim 4.84_2) (envelope-from <linux-media-owner@vger.kernel.org>) id 1fMCWk-0003VZ-CF; Fri, 25 May 2018 13:13:02 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936009AbeEYNM7 (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Fri, 25 May 2018 09:12:59 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:51720 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935167AbeEYNM5 (ORCPT <rfc822;linux-media@vger.kernel.org>); Fri, 25 May 2018 09:12:57 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w4PDBPZa067805; Fri, 25 May 2018 13:12:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=MbqWjSqgQKdMAlPls954GVHJl63DX5xV/98pMibN+gM=; b=Q5Lgj7MAZixWVLuru1EPQyADIs9m56aF4mYDAuFQdWXbPpPKsQrguqakxQooEnXnZrGD 5zbNBFyv6q50/eO5cHYcyn7N2zPw6J3JtW0Zqs0K23hVbu/lCmtn3MQm9ScohYVOubnn GjrfPlxpB6YCHh2Zdk7XAUHp5KgEgHpXa0BvGnAshWS+A0NG9OdQyDKP5/jvrx/6FVHK Q2Y53Z751Il4k45rVxJJwo6gTg0A4Chh+cV/K5dzOuyXoaQeYETKtxFoQZj6xBcIFvJj LCzffFZXV0dTLgeSnebn9tKmlH9ldZjBw/1I5DnK8QIOLHjdGgukerf33sft68MJxBG7 hA== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2j62swb9rr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 May 2018 13:12:53 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w4PDCqSR002952 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 May 2018 13:12:53 GMT Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w4PDCq8b004898; Fri, 25 May 2018 13:12:52 GMT Received: from kili.mountain (/41.210.155.166) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 25 May 2018 06:12:51 -0700 Date: Fri, 25 May 2018 16:12:39 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>, Manjunath Hadli <manjunath.hadli@ti.com>, Hans Verkuil <hverkuil@xs4all.nl> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>, linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH v2] media: davinci vpbe: array underflow in vpbe_enum_outputs() Message-ID: <20180525131239.45exrwgxr2f3kb57@kili.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <054ede38-b194-d1f9-7961-851c8b1acd5f@xs4all.nl> X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170113 (1.7.2) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8903 signatures=668700 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=977 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805250143 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org |
Commit Message
Dan Carpenter
May 25, 2018, 1:12 p.m. UTC
In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but
the problem is that temp_index can be negative. I've made
cgf->num_outputs unsigned to fix this issue.
Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: fix it a different way
Comments
On 25/05/18 15:12, Dan Carpenter wrote: > In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but > the problem is that temp_index can be negative. I've made > cgf->num_outputs unsigned to fix this issue. Shouldn't temp_index also be made unsigned? It certainly would make a lot of sense to do that. Regards, Hans > > Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > v2: fix it a different way > > diff --git a/include/media/davinci/vpbe.h b/include/media/davinci/vpbe.h > index 79a566d7defd..180a05e91497 100644 > --- a/include/media/davinci/vpbe.h > +++ b/include/media/davinci/vpbe.h > @@ -92,7 +92,7 @@ struct vpbe_config { > struct encoder_config_info *ext_encoders; > /* amplifier information goes here */ > struct amp_config_info *amp; > - int num_outputs; > + unsigned int num_outputs; > /* Order is venc outputs followed by LCD and then external encoders */ > struct vpbe_output *outputs; > }; >
On Fri, May 25, 2018 at 03:16:21PM +0200, Hans Verkuil wrote: > On 25/05/18 15:12, Dan Carpenter wrote: > > In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but > > the problem is that temp_index can be negative. I've made > > cgf->num_outputs unsigned to fix this issue. > > Shouldn't temp_index also be made unsigned? It certainly would make a lot of > sense to do that. Yeah, sure. It doesn't make any difference in terms of runtime but it's probably cleaner. regards, dan carpenter
On Mon, May 28, 2018 at 7:26 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote: > In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but > the problem is that temp_index can be negative. I've changed the types > to unsigned to fix this issue. > > Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > v2: fix it a different way > v3: change everything to unsigned because that's the right thing to do > and looks nicer. > Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com> Regards, --Prabhakar Lad > diff --git a/include/media/davinci/vpbe.h b/include/media/davinci/vpbe.h > index 79a566d7defd..180a05e91497 100644 > --- a/include/media/davinci/vpbe.h > +++ b/include/media/davinci/vpbe.h > @@ -92,7 +92,7 @@ struct vpbe_config { > struct encoder_config_info *ext_encoders; > /* amplifier information goes here */ > struct amp_config_info *amp; > - int num_outputs; > + unsigned int num_outputs; > /* Order is venc outputs followed by LCD and then external encoders */ > struct vpbe_output *outputs; > }; > diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c > index 18c035ef84cf..c6fee53bff4d 100644 > --- a/drivers/media/platform/davinci/vpbe.c > +++ b/drivers/media/platform/davinci/vpbe.c > @@ -126,7 +126,7 @@ static int vpbe_enum_outputs(struct vpbe_device *vpbe_dev, > struct v4l2_output *output) > { > struct vpbe_config *cfg = vpbe_dev->cfg; > - int temp_index = output->index; > + unsigned int temp_index = output->index; > > if (temp_index >= cfg->num_outputs) > return -EINVAL;
diff --git a/include/media/davinci/vpbe.h b/include/media/davinci/vpbe.h index 79a566d7defd..180a05e91497 100644 --- a/include/media/davinci/vpbe.h +++ b/include/media/davinci/vpbe.h @@ -92,7 +92,7 @@ struct vpbe_config { struct encoder_config_info *ext_encoders; /* amplifier information goes here */ struct amp_config_info *amp; - int num_outputs; + unsigned int num_outputs; /* Order is venc outputs followed by LCD and then external encoders */ struct vpbe_output *outputs; };