Hi, On Tue 24 Mar 26, 16:08, Pengpeng Hou wrote: > Cedrus consumes H.264 ref_pic_list0/ref_pic_list1 entries from the > stateless slice control and later uses their indices to look up > decode->dpb[] in _cedrus_write_ref_list(). > > Rejecting such controls in cedrus_try_ctrl() would break existing > userspace, since stateless H.264 reference lists may legitimately carry > out-of-range indices for missing references. Instead, guard the actual > DPB lookup in Cedrus and skip entries whose indices do not fit the fixed > V4L2_H264_NUM_DPB_ENTRIES array. Could you explain why it is legitimate that userspace would pass indices that are not in the dpb list? As far as I remember from the H.264 spec, the L0/L1 lists are constructed from active references only and the number of items there should be given by num_ref_idx_l0_active_minus1/num_ref_idx_l1_active_minus1. We can tolerate invalid data beyond these indices, but certainly not as part of the indices that should be valid. However I agree that cedrus_try_ctrl is maybe not the right place to check it since I'm not sure we are guaranteed that the slice params control will be checked before the new DPB (from the same request) is applied, so we might end up checking against the dpb from the previous decode request. But I think we should error out and not just skip the invalid reference. All the best, Paul > > This keeps the fix local to the driver use site and avoids out-of-bounds > reads from malformed or unsupported reference list entries. > > Signed-off-by: Pengpeng Hou > --- > drivers/staging/media/sunxi/cedrus/cedrus_h264.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_h264.c b/drivers/staging/media/sunxi/cedrus/cedrus_h264.c > --- a/drivers/staging/media/sunxi/cedrus/cedrus_h264.c > +++ b/drivers/staging/media/sunxi/cedrus/cedrus_h264.c > @@ -210,6 +210,9 @@ static void _cedrus_write_ref_list(struct cedrus_ctx *ctx, > u8 dpb_idx; > > dpb_idx = ref_list[i].index; > + if (dpb_idx >= V4L2_H264_NUM_DPB_ENTRIES) > + continue; > + > dpb = &decode->dpb[dpb_idx]; > > if (!(dpb->flags & V4L2_H264_DPB_ENTRY_FLAG_ACTIVE)) > -- > 2.50.1 > -- Paul Kocialkowski, Independent contractor - sys-base - https://www.sys-base.io/ Free software developer - https://www.paulk.fr/ Expert in multimedia, graphics and embedded hardware support with Linux.