From patchwork Thu Sep 18 12:23:36 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 25974 X-Patchwork-Delegate: g.liakhovetski@gmx.de Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from ) id 1XUakj-0003iI-6S; Thu, 18 Sep 2014 14:24:01 +0200 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.72/mailfrontend-8) with esmtp id 1XUakh-0005Pq-jH; Thu, 18 Sep 2014 14:24:00 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752279AbaIRMXy (ORCPT + 1 other); Thu, 18 Sep 2014 08:23:54 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:31453 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751659AbaIRMXy (ORCPT ); Thu, 18 Sep 2014 08:23:54 -0400 Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s8ICNlKZ010758 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Sep 2014 12:23:48 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s8ICNlRA022310 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Sep 2014 12:23:47 GMT Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s8ICNkDH028750; Thu, 18 Sep 2014 12:23:46 GMT Received: from mwanda (/41.202.233.178) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 18 Sep 2014 05:23:45 -0700 Date: Thu, 18 Sep 2014 15:23:36 +0300 From: Dan Carpenter To: Guennadi Liakhovetski Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] [media] mx2-camera: potential negative underflow bug Message-ID: <20140918122336.GA13147@mwanda> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.9.18.121226 X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, MSGID_ADDED_BY_MTA 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1400_1499 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, INVALID_MSGID_NO_FQDN 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CD 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __DATE_TZ_RU 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __URI_NO_WWW 0, __URI_NS , __USER_AGENT 0' My static checker complains: drivers/media/platform/soc_camera/mx2_camera.c:1070 mx2_emmaprp_resize() warn: no lower bound on 'num' The heuristic is that it's looking for values which the user can influence and we put an upper bound on them but we (perhaps accidentally) allow negative numbers. I am not very familiar with this code but I have looked at it and think there might be a bug. Making the variable unsigned seems like a safe option either way and this silences the static checker warning. The call tree is: -> subdev_do_ioctl() -> mx2_camera_set_fmt() -> mx2_emmaprp_resize() The check: if (num > RESIZE_NUM_MAX) can underflow and then we use "num" on the else path. Signed-off-by: Dan Carpenter --- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/platform/soc_camera/mx2_camera.c b/drivers/media/platform/soc_camera/mx2_camera.c index b40bc2e..bc27a47 100644 --- a/drivers/media/platform/soc_camera/mx2_camera.c +++ b/drivers/media/platform/soc_camera/mx2_camera.c @@ -1003,7 +1003,7 @@ static int mx2_emmaprp_resize(struct mx2_camera_dev *pcdev, struct v4l2_mbus_framefmt *mf_in, struct v4l2_pix_format *pix_out, bool apply) { - int num, den; + unsigned int num, den; unsigned long m; int i, dir;