Message ID | 20230214102827.920927-1-arnd@kernel.org (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Hans Verkuil |
Headers |
Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from <linux-media-owner@vger.kernel.org>) id 1pRsY9-002t5F-Nm; Tue, 14 Feb 2023 10:28:38 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232261AbjBNK2f (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Tue, 14 Feb 2023 05:28:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34856 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229647AbjBNK2e (ORCPT <rfc822;linux-media@vger.kernel.org>); Tue, 14 Feb 2023 05:28:34 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1FFC7222CC; Tue, 14 Feb 2023 02:28:34 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B73B2B81D02; Tue, 14 Feb 2023 10:28:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 81045C433EF; Tue, 14 Feb 2023 10:28:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1676370511; bh=VXmlpVfXufPNp5GbWFKiYEO94rbwAJ8jTU7CP3mRlNU=; h=From:To:Cc:Subject:Date:From; b=Ru3vjApGt+0QIZXiTYclPxmiljRyZE2ThkkptgivuodTb1QAE6MLtnssWQ23G+bIn H5YVd3tMvHWrPZycDwqAWFO7WIfzrb77OnyJOsXafqSstauuwOjwQDIz8G5elR0r/D FhsTzUGh7IlrqQYf2woOVpdc2kUJmWOXUuQBc6OTx12QqbENTovcV+uDPw32vffiAn 4YfSDeaEdRa63mc3tNOAyFM7zk82npNxUyIUrCz1b8uTZEAwCvIn2iLxlvQD1ecQg8 taS3ziI2sIqmtnqE/se3E/enPNNHvmOzPOLU0h3ZZIqu7yZd3JQJXc37M9YzEkDMz9 Z/SIrieSzHjtg== From: Arnd Bergmann <arnd@kernel.org> To: Mirela Rabulea <mirela.rabulea@nxp.com>, Mauro Carvalho Chehab <mchehab@kernel.org>, Shawn Guo <shawnguo@kernel.org>, Sascha Hauer <s.hauer@pengutronix.de>, Hans Verkuil <hverkuil-cisco@xs4all.nl>, Ming Qian <ming.qian@nxp.com> Cc: Arnd Bergmann <arnd@arndb.de>, NXP Linux Team <linux-imx@nxp.com>, Pengutronix Kernel Team <kernel@pengutronix.de>, Fabio Estevam <festevam@gmail.com>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, linux-media@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: imx-jpeg: avoid array overflow Date: Tue, 14 Feb 2023 11:28:20 +0100 Message-Id: <20230214102827.920927-1-arnd@kernel.org> X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -3.1 (---) X-LSpam-Report: No, score=-3.1 required=5.0 tests=BAYES_00=-1.9,DKIMWL_WL_HIGH=0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,MAILING_LIST_MULTI=-1 autolearn=ham autolearn_force=no |
Series |
media: imx-jpeg: avoid array overflow
|
|
Commit Message
Arnd Bergmann
Feb. 14, 2023, 10:28 a.m. UTC
From: Arnd Bergmann <arnd@arndb.de> gcc-9 (unlike newer versions) reports a possible array overflow in mxc_jpeg_dec_irq(): drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c: In function 'mxc_jpeg_dec_irq': drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds] 641 | size += q_data->sizeimage[i]; | ~~~~~~~~~~~~~~~~~^~~ drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 3 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds] The compiler clearly deduces that fmt->mem_planes is at least '2' if this code line is reached, and that fmt->comp_planes must be at least one more for the loop to make sense. However, this does not actually seem to be the case in the initialized values, so I would guess that this part of the function is never reached in practice. As a workaround, add a compile-time condition that skips any out-of-range array indices. Fixes: ccc9f1db9c6b ("media: imx-jpeg: Support contiguous and non contiguous format") Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Comments
Hi Arnd, Thank you for the patch. On Tue, Feb 14, 2023 at 11:28:20AM +0100, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > gcc-9 (unlike newer versions) reports a possible array overflow > in mxc_jpeg_dec_irq(): > > drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c: In function 'mxc_jpeg_dec_irq': > drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds] > 641 | size += q_data->sizeimage[i]; > | ~~~~~~~~~~~~~~~~~^~~ > drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 3 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds] > > The compiler clearly deduces that fmt->mem_planes is at least '2' if > this code line is reached, and that fmt->comp_planes must be at least > one more for the loop to make sense. However, this does not actually > seem to be the case in the initialized values, so I would guess that > this part of the function is never reached in practice. > > As a workaround, add a compile-time condition that skips any out-of-range > array indices. > > Fixes: ccc9f1db9c6b ("media: imx-jpeg: Support contiguous and non contiguous format") > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c > index f085f14d676a..7a667bfc2424 100644 > --- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c > +++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c > @@ -638,7 +638,8 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no) > > size = q_data->sizeimage[fmt->mem_planes - 1]; > for (i = fmt->mem_planes; i < fmt->comp_planes; i++) > - size += q_data->sizeimage[i]; > + if (i < MXC_JPEG_MAX_PLANES) > + size += q_data->sizeimage[i]; There's a risk someone will try to optimize this later, realizing that the check isn't needed, and we'll get the warning back. A comment would thus be useful. Also, how about writing it as for (i = fmt->mem_planes; i < min(fmt->comp_planes, MXC_JPEG_MAX_PLANES); i++) size += q_data->sizeimage[i]; > > return size; > }
diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c index f085f14d676a..7a667bfc2424 100644 --- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c @@ -638,7 +638,8 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no) size = q_data->sizeimage[fmt->mem_planes - 1]; for (i = fmt->mem_planes; i < fmt->comp_planes; i++) - size += q_data->sizeimage[i]; + if (i < MXC_JPEG_MAX_PLANES) + size += q_data->sizeimage[i]; return size; }