Web lists-archives.com

Re: [PATCH] [media] s3c-camif: fix out-of-bounds array access




On Wed, Sep 13, 2017 at 11:25 AM, Sylwester Nawrocki
<s.nawrocki@xxxxxxxxxxx> wrote:
> On 09/12/2017 10:09 PM, Arnd Bergmann wrote:

>>   {
>>       const struct s3c_camif_variant *variant = camif->variant;
>>       const struct vp_pix_limits *pix_lim;
>> -     int i = ARRAY_SIZE(camif_mbus_formats);
>>
>>       /* FIXME: constraints against codec or preview path ? */
>>       pix_lim = &variant->vp_pix_limits[VP_CODEC];
>>
>> -     while (i-- >= 0)
>> -             if (camif_mbus_formats[i] == mf->code)
>> -                     break;
>> -
>> -     mf->code = camif_mbus_formats[i];
>
>
> Interesting finding... the function needs to ensure mf->code is set
> to one of supported values by the driver, so instead of removing
> how about changing the above line to:
>
>         if (i < 0)
>                 mf->code = camif_mbus_formats[0];
>
> ?

That would still have one of the two out-of-bounds accesses ;-)

maybe this

for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
        if (camif_mbus_formats[i] == mf->code)
               break;

if (i == ARRAY_SIZE(camif_mbus_formats))
       mf->code = camif_mbus_formats[0];

      Arnd