* [PATCH] media: imx-jpeg: avoid array overflow
@ 2023-02-14 10:28 Arnd Bergmann
2023-02-14 10:44 ` Laurent Pinchart
0 siblings, 1 reply; 2+ messages in thread
From: Arnd Bergmann @ 2023-02-14 10:28 UTC (permalink / raw)
To: Mirela Rabulea, Mauro Carvalho Chehab, Shawn Guo, Sascha Hauer,
Hans Verkuil, Ming Qian
Cc: Arnd Bergmann, NXP Linux Team, Pengutronix Kernel Team,
Fabio Estevam, Laurent Pinchart, linux-media, linux-arm-kernel,
linux-kernel
From: Arnd Bergmann <arnd@arndb.de>
gcc-9 (unlike newer versions) reports a possible array overflow
in mxc_jpeg_dec_irq():
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c: In function 'mxc_jpeg_dec_irq':
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds]
641 | size += q_data->sizeimage[i];
| ~~~~~~~~~~~~~~~~~^~~
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 3 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds]
The compiler clearly deduces that fmt->mem_planes is at least '2' if
this code line is reached, and that fmt->comp_planes must be at least
one more for the loop to make sense. However, this does not actually
seem to be the case in the initialized values, so I would guess that
this part of the function is never reached in practice.
As a workaround, add a compile-time condition that skips any out-of-range
array indices.
Fixes: ccc9f1db9c6b ("media: imx-jpeg: Support contiguous and non contiguous format")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
index f085f14d676a..7a667bfc2424 100644
--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
@@ -638,7 +638,8 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no)
size = q_data->sizeimage[fmt->mem_planes - 1];
for (i = fmt->mem_planes; i < fmt->comp_planes; i++)
- size += q_data->sizeimage[i];
+ if (i < MXC_JPEG_MAX_PLANES)
+ size += q_data->sizeimage[i];
return size;
}
--
2.39.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] media: imx-jpeg: avoid array overflow
2023-02-14 10:28 [PATCH] media: imx-jpeg: avoid array overflow Arnd Bergmann
@ 2023-02-14 10:44 ` Laurent Pinchart
0 siblings, 0 replies; 2+ messages in thread
From: Laurent Pinchart @ 2023-02-14 10:44 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Mirela Rabulea, Mauro Carvalho Chehab, Shawn Guo, Sascha Hauer,
Hans Verkuil, Ming Qian, Arnd Bergmann, NXP Linux Team,
Pengutronix Kernel Team, Fabio Estevam, linux-media,
linux-arm-kernel, linux-kernel
Hi Arnd,
Thank you for the patch.
On Tue, Feb 14, 2023 at 11:28:20AM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> gcc-9 (unlike newer versions) reports a possible array overflow
> in mxc_jpeg_dec_irq():
>
> drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c: In function 'mxc_jpeg_dec_irq':
> drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds]
> 641 | size += q_data->sizeimage[i];
> | ~~~~~~~~~~~~~~~~~^~~
> drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 3 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds]
>
> The compiler clearly deduces that fmt->mem_planes is at least '2' if
> this code line is reached, and that fmt->comp_planes must be at least
> one more for the loop to make sense. However, this does not actually
> seem to be the case in the initialized values, so I would guess that
> this part of the function is never reached in practice.
>
> As a workaround, add a compile-time condition that skips any out-of-range
> array indices.
>
> Fixes: ccc9f1db9c6b ("media: imx-jpeg: Support contiguous and non contiguous format")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
> index f085f14d676a..7a667bfc2424 100644
> --- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
> +++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
> @@ -638,7 +638,8 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no)
>
> size = q_data->sizeimage[fmt->mem_planes - 1];
> for (i = fmt->mem_planes; i < fmt->comp_planes; i++)
> - size += q_data->sizeimage[i];
> + if (i < MXC_JPEG_MAX_PLANES)
> + size += q_data->sizeimage[i];
There's a risk someone will try to optimize this later, realizing that
the check isn't needed, and we'll get the warning back. A comment would
thus be useful.
Also, how about writing it as
for (i = fmt->mem_planes; i < min(fmt->comp_planes, MXC_JPEG_MAX_PLANES); i++)
size += q_data->sizeimage[i];
>
> return size;
> }
--
Regards,
Laurent Pinchart
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-02-14 10:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-14 10:28 [PATCH] media: imx-jpeg: avoid array overflow Arnd Bergmann
2023-02-14 10:44 ` Laurent Pinchart
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).