[bug report] media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: mirela.rabulea@nxp.com
Cc: linux-media@vger.kernel.org
Subject: [bug report] media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder
Date: Tue, 1 Mar 2022 15:42:08 +0300	[thread overview]
Message-ID: <20220301124208.GA27743@kili> (raw)

Hello Mirela Rabulea,

The patch 2db16c6ed72c: "media: imx-jpeg: Add V4L2 driver for i.MX8
JPEG Encoder/Decoder" from Mar 11, 2021, leads to the following
Smatch static checker warning:

	drivers/media/platform/imx-jpeg/mxc-jpeg.c:1070 mxc_jpeg_queue_setup()
	warn: potential user controlled iterator 'i' (array size 2 vs 7)

drivers/media/platform/imx-jpeg/mxc-jpeg.c
    1053 static int mxc_jpeg_queue_setup(struct vb2_queue *q,
    1054                                 unsigned int *nbuffers,
    1055                                 unsigned int *nplanes,
    1056                                 unsigned int sizes[],
    1057                                 struct device *alloc_ctxs[])
    1058 {
    1059         struct mxc_jpeg_ctx *ctx = vb2_get_drv_priv(q);
    1060         struct mxc_jpeg_q_data *q_data = NULL;
    1061         int i;
    1062 
    1063         q_data = mxc_jpeg_get_q_data(ctx, q->type);
    1064         if (!q_data)
    1065                 return -EINVAL;
    1066 
    1067         /* Handle CREATE_BUFS situation - *nplanes != 0 */
    1068         if (*nplanes) {
    1069                 for (i = 0; i < *nplanes; i++) {
--> 1070                         if (sizes[i] < q_data->sizeimage[i])

Smatch thinks "*nplanes" is controlled by the user in vb2_create_bufs()
and it can be up to VIDEO_MAX_PLANES(8).  Meanwhile the q_data->sizeimage[]
array only has MXC_JPEG_MAX_PLANES(2) elements so this looks to be an
out of bounds access.

    1071                                 return -EINVAL;
    1072                 }
    1073                 return 0;
    1074         }
    1075 
    1076         /* Handle REQBUFS situation */
    1077         *nplanes = q_data->fmt->colplanes;
    1078         for (i = 0; i < *nplanes; i++)
    1079                 sizes[i] = q_data->sizeimage[i];
    1080 
    1081         return 0;
    1082 }

regards,
dan carpenter

next             reply	other threads:[~2022-03-01 12:42 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-01 12:42 Dan Carpenter [this message]
2022-03-04 15:51 ` [bug report] media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder Mirela Rabulea
2022-03-07  9:44   ` Dan Carpenter
2022-03-08 13:18     ` [EXT] " Mirela Rabulea

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220301124208.GA27743@kili \
    --to=dan.carpenter@oracle.com \
    --cc=linux-media@vger.kernel.org \
    --cc=mirela.rabulea@nxp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.