[patch] [media] mx2-camera: potential negative underflow bug

linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Cc: Mauro Carvalho Chehab <m.chehab@samsung.com>,
	linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] [media] mx2-camera: potential negative underflow bug
Date: Thu, 18 Sep 2014 15:23:36 +0300	[thread overview]
Message-ID: <20140918122336.GA13147@mwanda> (raw)

My static checker complains:

	drivers/media/platform/soc_camera/mx2_camera.c:1070
	mx2_emmaprp_resize() warn: no lower bound on 'num'

The heuristic is that it's looking for values which the user can
influence and we put an upper bound on them but we (perhaps
accidentally) allow negative numbers.

I am not very familiar with this code but I have looked at it and think
there might be a bug.  Making the variable unsigned seems like a safe
option either way and this silences the static checker warning.

The call tree is:
  -> subdev_do_ioctl()
     -> mx2_camera_set_fmt()
        -> mx2_emmaprp_resize()
The check:
	if (num > RESIZE_NUM_MAX)
can underflow and then we use "num" on the else path.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/media/platform/soc_camera/mx2_camera.c b/drivers/media/platform/soc_camera/mx2_camera.c
index b40bc2e..bc27a47 100644
--- a/drivers/media/platform/soc_camera/mx2_camera.c
+++ b/drivers/media/platform/soc_camera/mx2_camera.c
@@ -1003,7 +1003,7 @@ static int mx2_emmaprp_resize(struct mx2_camera_dev *pcdev,
 			      struct v4l2_mbus_framefmt *mf_in,
 			      struct v4l2_pix_format *pix_out, bool apply)
 {
-	int num, den;
+	unsigned int num, den;
 	unsigned long m;
 	int i, dir;

                 reply	other threads:[~2014-09-18 12:23 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b40bc2e dfblob:bc27a47 )
 OR (
bs:"[patch] [media] mx2-camera: potential negative underflow bug" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140918122336.GA13147@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=g.liakhovetski@gmx.de \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=m.chehab@samsung.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).