From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Skeggs <bskeggs@redhat.com>
Subject: Re: drm/nvd0/disp: initial crtc object implementation
Date: Tue, 26 Nov 2013 18:22:46 -0500 (EST)
Message-ID: <1940853357.8722109.1385508166826.JavaMail.root@redhat.com>
References: <20131126213027.GA20597@elgon.mountain>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25])
	by gabe.freedesktop.org (Postfix) with ESMTP id DDC64FA421
	for <dri-devel@lists.freedesktop.org>;
	Tue, 26 Nov 2013 15:22:48 -0800 (PST)
In-Reply-To: <20131126213027.GA20597@elgon.mountain>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces@lists.freedesktop.org
Errors-To: dri-devel-bounces@lists.freedesktop.org
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

----- Original Message -----
> From: "Dan Carpenter" <dan.carpenter@oracle.com>
> To: bskeggs@redhat.com
> Cc: dri-devel@lists.freedesktop.org
> Sent: Wednesday, 27 November, 2013 7:30:27 AM
> Subject: re: drm/nvd0/disp: initial crtc object implementation
> 
> Hello Ben Skeggs,
> 
> The patch 438d99e3b175: "drm/nvd0/disp: initial crtc object
> implementation" from Jul 5, 2011, leads to the following
> static checker warning: "drivers/gpu/drm/nouveau/nv50_display.c:1272
> nv50_crtc_gamma_set()
> 	 error: buffer overflow 'nv_crtc->lut.r' 256 <= 256"
> 
> drivers/gpu/drm/nouveau/nv50_display.c
>   1263  static void
>   1264  nv50_crtc_gamma_set(struct drm_crtc *crtc, u16 *r, u16 *g, u16 *b,
>   1265                      uint32_t start, uint32_t size)
>   1266  {
>   1267          struct nouveau_crtc *nv_crtc = nouveau_crtc(crtc);
>   1268          u32 end = max(start + size, (u32)256);
>   1269          u32 i;
>   1270
>   1271          for (i = start; i < end; i++) {
>   1272                  nv_crtc->lut.r[i] = r[i];
>                                  ^^^^^^^^
> These arrays have 256 elements so going beyond seems like a bug.  Should
> the end = max() be a min() or something?
Yes, should definitely be a min.  Did you want to cook the patch or shall I?

Thanks,
Ben.

> 
>   1273                  nv_crtc->lut.g[i] = g[i];
>   1274                  nv_crtc->lut.b[i] = b[i];
>   1275          }
>   1276
>   1277          nv50_crtc_lut_load(crtc);
>   1278  }
> 
> regards,
> dan carpenter
> 
>