[bug report] V4L/DVB (3420): Added iocls to configure VBI on tvp5150

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: mchehab@kernel.org
Cc: linux-media@vger.kernel.org
Subject: [bug report] V4L/DVB (3420): Added iocls to configure VBI on tvp5150
Date: Mon, 19 Feb 2018 17:27:52 +0300	[thread overview]
Message-ID: <20180219142751.GA10113@mwanda> (raw)

[ This is obviously ancient code.  It's probably fine.  I've just been
  going through all array overflow warnings recently.  - dan ]

Hello Mauro Carvalho Chehab,

The patch 12db56071b47: "V4L/DVB (3420): Added iocls to configure VBI
on tvp5150" from Jan 23, 2006, leads to the following static checker
warning:

	drivers/media/i2c/tvp5150.c:730 tvp5150_get_vbi()
	error: buffer overflow 'regs' 5 <= 14

drivers/media/i2c/tvp5150.c
   699  static int tvp5150_get_vbi(struct v4l2_subdev *sd,
   700                          const struct i2c_vbi_ram_value *regs, int line)
   701  {
   702          struct tvp5150 *decoder = to_tvp5150(sd);
   703          v4l2_std_id std = decoder->norm;
   704          u8 reg;
   705          int pos, type = 0;
   706          int i, ret = 0;
   707  
   708          if (std == V4L2_STD_ALL) {
   709                  dev_err(sd->dev, "VBI can't be configured without knowing number of lines\n");
   710                  return 0;
   711          } else if (std & V4L2_STD_625_50) {
   712                  /* Don't follow NTSC Line number convension */
   713                  line += 3;
   714          }
   715  
   716          if (line < 6 || line > 27)
   717                  return 0;
   718  
   719          reg = ((line - 6) << 1) + TVP5150_LINE_MODE_INI;
   720  
   721          for (i = 0; i <= 1; i++) {
   722                  ret = tvp5150_read(sd, reg + i);
   723                  if (ret < 0) {
   724                          dev_err(sd->dev, "%s: failed with error = %d\n",
   725                                   __func__, ret);
   726                          return 0;
   727                  }
   728                  pos = ret & 0x0f;
   729                  if (pos < 0x0f)
                            ^^^^^^^^^^
Smatch thinks this implies pos can be 0-14.

   730                          type |= regs[pos].type.vbi_type;
                                        ^^^^^^^^^
This array only has 5 elements.

   731          }
   732  
   733          return type;
   734  }


regards,
dan carpenter

next             reply	other threads:[~2018-02-19 14:33 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-19 14:27 Dan Carpenter [this message]
2018-02-19 18:42 ` [bug report] V4L/DVB (3420): Added iocls to configure VBI on tvp5150 Mauro Carvalho Chehab

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180219142751.GA10113@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox