* [patch] [media] mx2-camera: potential negative underflow bug
@ 2014-09-18 12:23 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2014-09-18 12:23 UTC (permalink / raw)
To: Guennadi Liakhovetski; +Cc: Mauro Carvalho Chehab, linux-media, kernel-janitors
My static checker complains:
drivers/media/platform/soc_camera/mx2_camera.c:1070
mx2_emmaprp_resize() warn: no lower bound on 'num'
The heuristic is that it's looking for values which the user can
influence and we put an upper bound on them but we (perhaps
accidentally) allow negative numbers.
I am not very familiar with this code but I have looked at it and think
there might be a bug. Making the variable unsigned seems like a safe
option either way and this silences the static checker warning.
The call tree is:
-> subdev_do_ioctl()
-> mx2_camera_set_fmt()
-> mx2_emmaprp_resize()
The check:
if (num > RESIZE_NUM_MAX)
can underflow and then we use "num" on the else path.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/media/platform/soc_camera/mx2_camera.c b/drivers/media/platform/soc_camera/mx2_camera.c
index b40bc2e..bc27a47 100644
--- a/drivers/media/platform/soc_camera/mx2_camera.c
+++ b/drivers/media/platform/soc_camera/mx2_camera.c
@@ -1003,7 +1003,7 @@ static int mx2_emmaprp_resize(struct mx2_camera_dev *pcdev,
struct v4l2_mbus_framefmt *mf_in,
struct v4l2_pix_format *pix_out, bool apply)
{
- int num, den;
+ unsigned int num, den;
unsigned long m;
int i, dir;
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [patch] [media] mx2-camera: potential negative underflow bug
@ 2014-09-18 12:23 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2014-09-18 12:23 UTC (permalink / raw)
To: Guennadi Liakhovetski; +Cc: Mauro Carvalho Chehab, linux-media, kernel-janitors
My static checker complains:
drivers/media/platform/soc_camera/mx2_camera.c:1070
mx2_emmaprp_resize() warn: no lower bound on 'num'
The heuristic is that it's looking for values which the user can
influence and we put an upper bound on them but we (perhaps
accidentally) allow negative numbers.
I am not very familiar with this code but I have looked at it and think
there might be a bug. Making the variable unsigned seems like a safe
option either way and this silences the static checker warning.
The call tree is:
-> subdev_do_ioctl()
-> mx2_camera_set_fmt()
-> mx2_emmaprp_resize()
The check:
if (num > RESIZE_NUM_MAX)
can underflow and then we use "num" on the else path.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/media/platform/soc_camera/mx2_camera.c b/drivers/media/platform/soc_camera/mx2_camera.c
index b40bc2e..bc27a47 100644
--- a/drivers/media/platform/soc_camera/mx2_camera.c
+++ b/drivers/media/platform/soc_camera/mx2_camera.c
@@ -1003,7 +1003,7 @@ static int mx2_emmaprp_resize(struct mx2_camera_dev *pcdev,
struct v4l2_mbus_framefmt *mf_in,
struct v4l2_pix_format *pix_out, bool apply)
{
- int num, den;
+ unsigned int num, den;
unsigned long m;
int i, dir;
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-09-18 12:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-18 12:23 [patch] [media] mx2-camera: potential negative underflow bug Dan Carpenter
2014-09-18 12:23 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.