From: Dan Carpenter <dan.carpenter@oracle.com>
To: hans.verkuil@cisco.com
Cc: linux-media@vger.kernel.org
Subject: [bug report] [media] mxb: fix audio handling
Date: Wed, 10 Apr 2019 14:09:34 +0300 [thread overview]
Message-ID: <20190410110934.GA3459@kadam> (raw)
[ Hi Hans,
This might not really be your bug, but I just respect you a lot and
so I always come to you with questions and for advice. -dan ]
Hello Hans Verkuil,
The patch 6680427791c9: "[media] mxb: fix audio handling" from Apr
30, 2012, leads to the following static checker warning:
drivers/media/pci/saa7146/mxb.c:196 tea6420_route()
warn: uncapped user index 'TEA6420_cd[idx]'
drivers/media/pci/saa7146/mxb.c
194 static inline void tea6420_route(struct mxb *mxb, int idx)
195 {
--> 196 v4l2_subdev_call(mxb->tea6420_1, audio, s_routing,
197 TEA6420_cd[idx][0].input, TEA6420_cd[idx][0].output, 0);
^^^
Index overflow. The TEA6420_cd[] array has MXB_AUDIOS + 1 (which is 7
altogether) elements.
198 v4l2_subdev_call(mxb->tea6420_2, audio, s_routing,
199 TEA6420_cd[idx][1].input, TEA6420_cd[idx][1].output, 0);
200 v4l2_subdev_call(mxb->tea6420_1, audio, s_routing,
201 TEA6420_line[idx][0].input, TEA6420_line[idx][0].output, 0);
202 v4l2_subdev_call(mxb->tea6420_2, audio, s_routing,
203 TEA6420_line[idx][1].input, TEA6420_line[idx][1].output, 0);
204 }
[ snip ]
650 static int vidioc_s_audio(struct file *file, void *fh, const struct v4l2_audio *a)
651 {
652 struct saa7146_dev *dev = ((struct saa7146_fh *)fh)->dev;
653 struct mxb *mxb = (struct mxb *)dev->ext_priv;
654
655 DEB_D("VIDIOC_S_AUDIO %d\n", a->index);
656 if (mxb_inputs[mxb->cur_input].audioset & (1 << a->index)) {
This a->index comes from the ioctl and it's a u32 so the shift can wrap.
The .audioset variable is always 0x3f. In other words BIT(6) is the
highest valid bit so we could add a check:
if (a->index > MXB_AUDIOS)
return;
657 if (mxb->cur_audinput != a->index) {
658 mxb->cur_audinput = a->index;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Now here's the complication. We also use a->index as an index into the
mxb_inputs[] array which only has MXB_INPUTS (4) elements, so just
adding the limit would still lead to a different array out of bounds
later...
659 tea6420_route(mxb, a->index);
660 if (mxb->cur_audinput == 0)
661 mxb_update_audmode(mxb);
662 }
663 return 0;
664 }
665 return -EINVAL;
666 }
regards,
dan carpenter
next reply other threads:[~2019-04-10 11:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-10 11:09 Dan Carpenter [this message]
2019-04-10 11:24 ` [bug report] [media] mxb: fix audio handling Hans Verkuil
2019-04-10 11:39 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190410110934.GA3459@kadam \
--to=dan.carpenter@oracle.com \
--cc=hans.verkuil@cisco.com \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.