From patchwork Tue Jan 16 15:30:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 124734 Delivered-To: patch@linaro.org Received: by 10.46.64.148 with SMTP id r20csp1052113lje; Tue, 16 Jan 2018 07:31:19 -0800 (PST) X-Google-Smtp-Source: ACJfBotvBt96UjyhFlnAJNspRdEiiPFye++KEVyAdm1pY0n/gTkOTqhSbzzqjSjuwzhteG8k8Vvq X-Received: by 10.98.91.193 with SMTP id p184mr34813388pfb.16.1516116679414; Tue, 16 Jan 2018 07:31:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516116679; cv=none; d=google.com; s=arc-20160816; b=hrN6s6KEDwsP3HF+d2t2saeoE1VAdnIAfrboyBnAedraRpzvyWPdB6FQyurJm+IDuI PbTZiwnHlEJKJ7yzDz2tthwYe93y30xx3mq1rfc8oIiEfhho7VVWsiebb34+2y1Msibm YFtVKUFASu6F92VM5jAsIJGWhbkb+AKX8nFsqst2wjVB+NOZxb+tCCpIqEOIBHoXtnQV sH9fzcbc5oBu/cu6avNX1CoBu70eWImQcxdREl5JuEGwAOAyqvza4ZrMXqJFKlvwOS8B LPJG6IOzBi1W5MtXETuSdehNSCfVDDI7FVlXm0IPrzHavC65qL+ZdZI8Ag+3Hkrf5Met fo/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=i5ldve3q/p36C1gFK5DikRwbtgRRwZbCvlV9BSI/L7k=; b=ZykuK3sdi7gTFqOf3QI8XGNyoHrFuk+cN12jT1ZLWVpnO1/a43dFm3o2mg7bQwaUBQ YfIF/OE/4Vc+563suUobFxbis2EozlIyfwCOHGgYB0d7cSL/bZfoqz6ouBjfZTYQq6zs PG7Q9BNZOGQu8o/JF1FsFD4PGmxFM2V7AEQPU5nJg9xTEml2679UGJwXxBnFa5khBk50 LGmI2QwajV/FbFDKPaXAZGinvz0hGdjLBVixEv8XVVhMWYYgyr6ysT+QNK/TN3JMZQPY 2P2BeaCDleRoUupOa2W2IC5s3VwrYTA4Fj2UyBFxa/Dp6deq2wx3ihaRiXA23gNsqEt2 aWzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-samsung-soc-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v1si1801657pgt.335.2018.01.16.07.31.19; Tue, 16 Jan 2018 07:31:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-samsung-soc-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751205AbeAPPbS (ORCPT + 3 others); Tue, 16 Jan 2018 10:31:18 -0500 Received: from mout.kundenserver.de ([212.227.126.130]:50421 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751145AbeAPPbR (ORCPT ); Tue, 16 Jan 2018 10:31:17 -0500 Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de (mreue006 [212.227.15.129]) with ESMTPA (Nemesis) id 0MDaAr-1ecrIc0jEb-00GsKZ; Tue, 16 Jan 2018 16:31:07 +0100 From: Arnd Bergmann To: Sylwester Nawrocki , Mauro Carvalho Chehab Cc: Arnd Bergmann , Laurent Pinchart , Sakari Ailus , linux-media@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] [v2] media: s3c-camif: fix out-of-bounds array access Date: Tue, 16 Jan 2018 16:30:46 +0100 Message-Id: <20180116153105.3523235-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:KwEd3ocnORFZ1KMYIsNg8hJg3HwDQ5cevOCdNr6Vp6JiZq+F0Wi RnMZdxX77l9BjXhWbeR26uO1x9GXcKcrTCkY49/Wf4mi+5AtqteaGshTim2JT1SDGrEKDDL DpIL5ifgNFblGwaGf9I4sHKLXa+Y1LuzGM6bGdoGQ5pomRWb4nGE7dHxG2FzYOS9GdOh6tG uZM2WNgggpKpEtbyoAKOA== X-UI-Out-Filterresults: notjunk:1; V01:K0:UFFoG5+3Hps=:TFB1yibS1bcQanhuA1g6Zc 8Y8CTKzAivhw8yISyP33/xQoFfrl4IWeR25FiTJA1LuAsfAg3M9k9JDFwXXBnYKMZATyd4XG/ dTeNCPOXOwCz7kC4YLA/jAcHaDp6GbMivYKe5ezdf6Y202R3CLTK6HVcpqeUflOHNwB3aGNM/ H5xhtuVBl6p/Dvg9W0pel5xqvoCyQPN7TZp/L3zdPvX0rjWGqOOK+Fvh6IDQJz0EO0fG801+o oZzvXCafr5AnQgg07KEQCJxvR5D5UeU5ZpAz5KsXRUX05iBXkNYrwDdlQVGpyaxtO4eQqZ+YX YBArC9yEo3p8qKoUfJTOIbAkP8U3HrKCLQxXG2IHp6dX3wtjSoB8Pw/lZN7M7uVx77fRq9AIl 2UIPXHvDMCZyKihXRhosB3OCyMpNmjG8w/7JtROvzpq6Uz/bX04HRb9Yt//VaFRM1HdQRc+oW KNq0JKNxyKY0+R4kmrcl449chjUb60t1TMuWg4/qMKA9klDgShiPYR5TbjdP0aEuZIPHJtigO pvl4gbYzZJIG16P5yLCcYHwv+Lg3pZgQE5GsfIKWeAckPK4MWCygOMnSJfDtF2nKvzWuWwLK7 ALUbUK3YndlLwwUUHXUj/d+PBXPRunVC+n99J2+Bay1f11N78G/8T2gQ4kVaikaDgy7UcM3hD hyzGWgCtvGHRPeHKg9mwxhYRNUM9SzTN8o6EcINV/pne64JNIt3aaCVkKgOLagAxgH253npVc 7qorqgKsa3y6WNfxXVQibEoqpfiAyVCPSmMuhQ== Sender: linux-samsung-soc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-samsung-soc@vger.kernel.org While experimenting with older compiler versions, I ran into a warning that no longer shows up on gcc-4.8 or newer: drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds This is an off-by-one bug, leading to an access before the start of the array, while newer compilers silently assume this undefined behavior cannot happen and leave the loop at index 0 if no other entry matches. As Sylvester explains, we actually need to ensure that the value is within the range, so this reworks the loop to be easier to parse correctly, and an additional check to fall back on the first format value for any unexpected input. I found an existing gcc bug for it and added a reduced version of the function there. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") Signed-off-by: Arnd Bergmann --- v2: rework logic rather than removing it. --- drivers/media/platform/s3c-camif/camif-capture.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -- 2.9.0 -- To unsubscribe from this list: send the line "unsubscribe linux-samsung-soc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c index 437395a61065..002609be1400 100644 --- a/drivers/media/platform/s3c-camif/camif-capture.c +++ b/drivers/media/platform/s3c-camif/camif-capture.c @@ -1256,15 +1256,18 @@ static void __camif_subdev_try_format(struct camif_dev *camif, { const struct s3c_camif_variant *variant = camif->variant; const struct vp_pix_limits *pix_lim; - int i = ARRAY_SIZE(camif_mbus_formats); + int i; /* FIXME: constraints against codec or preview path ? */ pix_lim = &variant->vp_pix_limits[VP_CODEC]; - while (i-- >= 0) + for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) if (camif_mbus_formats[i] == mf->code) break; + if (i == ARRAY_SIZE(camif_mbus_formats)) + mf->code = camif_mbus_formats[0]; + mf->code = camif_mbus_formats[i]; if (pad == CAMIF_SD_PAD_SINK) {