* [PATCH] v4l: soc_camera: fix bound checking of mbus_fmt[] index
@ 2010-02-18 6:03 Baruch Siach
2010-02-19 17:26 ` Guennadi Liakhovetski
0 siblings, 1 reply; 3+ messages in thread
From: Baruch Siach @ 2010-02-18 6:03 UTC (permalink / raw)
To: Guennadi Liakhovetski; +Cc: linux-media, Baruch Siach
When code <= V4L2_MBUS_FMT_FIXED soc_mbus_get_fmtdesc returns a pointer to
mbus_fmt[x], where x < 0. Fix this.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
drivers/media/video/soc_mediabus.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/drivers/media/video/soc_mediabus.c b/drivers/media/video/soc_mediabus.c
index f8d5c87..a2808e2 100644
--- a/drivers/media/video/soc_mediabus.c
+++ b/drivers/media/video/soc_mediabus.c
@@ -136,6 +136,8 @@ const struct soc_mbus_pixelfmt *soc_mbus_get_fmtdesc(
{
if ((unsigned int)(code - V4L2_MBUS_FMT_FIXED) > ARRAY_SIZE(mbus_fmt))
return NULL;
+ if ((unsigned int)code <= V4L2_MBUS_FMT_FIXED)
+ return NULL;
return mbus_fmt + code - V4L2_MBUS_FMT_FIXED - 1;
}
EXPORT_SYMBOL(soc_mbus_get_fmtdesc);
--
1.6.6.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] v4l: soc_camera: fix bound checking of mbus_fmt[] index
2010-02-18 6:03 [PATCH] v4l: soc_camera: fix bound checking of mbus_fmt[] index Baruch Siach
@ 2010-02-19 17:26 ` Guennadi Liakhovetski
2010-02-20 19:01 ` Baruch Siach
0 siblings, 1 reply; 3+ messages in thread
From: Guennadi Liakhovetski @ 2010-02-19 17:26 UTC (permalink / raw)
To: Baruch Siach; +Cc: Linux Media Mailing List
On Thu, 18 Feb 2010, Baruch Siach wrote:
Thanks for the patch, but I decided to improve it a bit. In fact, the only
case my original version was missing was code == V4L2_MBUS_FMT_FIXED, the
correct test would be
(unsigned int)(code - V4L2_MBUS_FMT_FIXED -1) >= ARRAY_SIZE(mbus_fmt)
but to make it simple we can indeed break this into two tests, the
compiler will optimise it for us. So, if you agree, I'll push the version
of your patch, attached at the bottom of this mail, for 2.6.33, so, please
reply asap...
Thanks
Guennadi
> When code <= V4L2_MBUS_FMT_FIXED soc_mbus_get_fmtdesc returns a pointer to
> mbus_fmt[x], where x < 0. Fix this.
>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> ---
> drivers/media/video/soc_mediabus.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/media/video/soc_mediabus.c b/drivers/media/video/soc_mediabus.c
> index f8d5c87..a2808e2 100644
> --- a/drivers/media/video/soc_mediabus.c
> +++ b/drivers/media/video/soc_mediabus.c
> @@ -136,6 +136,8 @@ const struct soc_mbus_pixelfmt *soc_mbus_get_fmtdesc(
> {
> if ((unsigned int)(code - V4L2_MBUS_FMT_FIXED) > ARRAY_SIZE(mbus_fmt))
> return NULL;
> + if ((unsigned int)code <= V4L2_MBUS_FMT_FIXED)
> + return NULL;
> return mbus_fmt + code - V4L2_MBUS_FMT_FIXED - 1;
> }
> EXPORT_SYMBOL(soc_mbus_get_fmtdesc);
> --
> 1.6.6.1
>
---
Guennadi Liakhovetski, Ph.D.
Freelance Open-Source Software Developer
http://www.open-technology.de/
>From 00109d655b4b8cf25bc68a215966be810e372e87 Mon Sep 17 00:00:00 2001
From: Baruch Siach <baruch@tkos.co.il>
Date: Fri, 19 Feb 2010 18:09:25 +0100
Subject: [PATCH] v4l: soc_camera: fix bound checking of mbus_fmt[] index
When code <= V4L2_MBUS_FMT_FIXED soc_mbus_get_fmtdesc returns a pointer to
mbus_fmt[x], where x < 0. Fix this.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
---
drivers/media/video/soc_mediabus.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/media/video/soc_mediabus.c b/drivers/media/video/soc_mediabus.c
index f8d5c87..a4c0ef4 100644
--- a/drivers/media/video/soc_mediabus.c
+++ b/drivers/media/video/soc_mediabus.c
@@ -134,7 +134,8 @@ EXPORT_SYMBOL(soc_mbus_bytes_per_line);
const struct soc_mbus_pixelfmt *soc_mbus_get_fmtdesc(
enum v4l2_mbus_pixelcode code)
{
- if ((unsigned int)(code - V4L2_MBUS_FMT_FIXED) > ARRAY_SIZE(mbus_fmt))
+ if (code - V4L2_MBUS_FMT_FIXED > ARRAY_SIZE(mbus_fmt) ||
+ code <= V4L2_MBUS_FMT_FIXED)
return NULL;
return mbus_fmt + code - V4L2_MBUS_FMT_FIXED - 1;
}
--
1.6.2.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] v4l: soc_camera: fix bound checking of mbus_fmt[] index
2010-02-19 17:26 ` Guennadi Liakhovetski
@ 2010-02-20 19:01 ` Baruch Siach
0 siblings, 0 replies; 3+ messages in thread
From: Baruch Siach @ 2010-02-20 19:01 UTC (permalink / raw)
To: Guennadi Liakhovetski; +Cc: Linux Media Mailing List
Hi Guennadi,
On Fri, Feb 19, 2010 at 06:26:06PM +0100, Guennadi Liakhovetski wrote:
> On Thu, 18 Feb 2010, Baruch Siach wrote:
>
> Thanks for the patch, but I decided to improve it a bit. In fact, the only
> case my original version was missing was code == V4L2_MBUS_FMT_FIXED, the
> correct test would be
>
> (unsigned int)(code - V4L2_MBUS_FMT_FIXED -1) >= ARRAY_SIZE(mbus_fmt)
>
> but to make it simple we can indeed break this into two tests, the
> compiler will optimise it for us. So, if you agree, I'll push the version
> of your patch, attached at the bottom of this mail, for 2.6.33, so, please
> reply asap...
That's OK by me.
baruch
> > When code <= V4L2_MBUS_FMT_FIXED soc_mbus_get_fmtdesc returns a pointer to
> > mbus_fmt[x], where x < 0. Fix this.
> >
> > Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> > ---
> > drivers/media/video/soc_mediabus.c | 2 ++
> > 1 files changed, 2 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/media/video/soc_mediabus.c b/drivers/media/video/soc_mediabus.c
> > index f8d5c87..a2808e2 100644
> > --- a/drivers/media/video/soc_mediabus.c
> > +++ b/drivers/media/video/soc_mediabus.c
> > @@ -136,6 +136,8 @@ const struct soc_mbus_pixelfmt *soc_mbus_get_fmtdesc(
> > {
> > if ((unsigned int)(code - V4L2_MBUS_FMT_FIXED) > ARRAY_SIZE(mbus_fmt))
> > return NULL;
> > + if ((unsigned int)code <= V4L2_MBUS_FMT_FIXED)
> > + return NULL;
> > return mbus_fmt + code - V4L2_MBUS_FMT_FIXED - 1;
> > }
> > EXPORT_SYMBOL(soc_mbus_get_fmtdesc);
> > --
> > 1.6.6.1
> >
>
> ---
> Guennadi Liakhovetski, Ph.D.
> Freelance Open-Source Software Developer
> http://www.open-technology.de/
>
>
> From 00109d655b4b8cf25bc68a215966be810e372e87 Mon Sep 17 00:00:00 2001
> From: Baruch Siach <baruch@tkos.co.il>
> Date: Fri, 19 Feb 2010 18:09:25 +0100
> Subject: [PATCH] v4l: soc_camera: fix bound checking of mbus_fmt[] index
>
> When code <= V4L2_MBUS_FMT_FIXED soc_mbus_get_fmtdesc returns a pointer to
> mbus_fmt[x], where x < 0. Fix this.
>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
> ---
> drivers/media/video/soc_mediabus.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/media/video/soc_mediabus.c b/drivers/media/video/soc_mediabus.c
> index f8d5c87..a4c0ef4 100644
> --- a/drivers/media/video/soc_mediabus.c
> +++ b/drivers/media/video/soc_mediabus.c
> @@ -134,7 +134,8 @@ EXPORT_SYMBOL(soc_mbus_bytes_per_line);
> const struct soc_mbus_pixelfmt *soc_mbus_get_fmtdesc(
> enum v4l2_mbus_pixelcode code)
> {
> - if ((unsigned int)(code - V4L2_MBUS_FMT_FIXED) > ARRAY_SIZE(mbus_fmt))
> + if (code - V4L2_MBUS_FMT_FIXED > ARRAY_SIZE(mbus_fmt) ||
> + code <= V4L2_MBUS_FMT_FIXED)
> return NULL;
> return mbus_fmt + code - V4L2_MBUS_FMT_FIXED - 1;
> }
> --
> 1.6.2.4
>
--
~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch@tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-02-20 19:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-18 6:03 [PATCH] v4l: soc_camera: fix bound checking of mbus_fmt[] index Baruch Siach
2010-02-19 17:26 ` Guennadi Liakhovetski
2010-02-20 19:01 ` Baruch Siach
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox