From patchwork Tue Jan 16 15:30:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 10167449 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E5BC1600CA for ; Tue, 16 Jan 2018 15:31:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D6B9B228C8 for ; Tue, 16 Jan 2018 15:31:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CAE6A28068; Tue, 16 Jan 2018 15:31:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 41AD2228C8 for ; Tue, 16 Jan 2018 15:31:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751205AbeAPPbS (ORCPT ); Tue, 16 Jan 2018 10:31:18 -0500 Received: from mout.kundenserver.de ([212.227.126.130]:50421 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751145AbeAPPbR (ORCPT ); Tue, 16 Jan 2018 10:31:17 -0500 Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de (mreue006 [212.227.15.129]) with ESMTPA (Nemesis) id 0MDaAr-1ecrIc0jEb-00GsKZ; Tue, 16 Jan 2018 16:31:07 +0100 From: Arnd Bergmann To: Sylwester Nawrocki , Mauro Carvalho Chehab Cc: Arnd Bergmann , Laurent Pinchart , Sakari Ailus , linux-media@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] [v2] media: s3c-camif: fix out-of-bounds array access Date: Tue, 16 Jan 2018 16:30:46 +0100 Message-Id: <20180116153105.3523235-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:KwEd3ocnORFZ1KMYIsNg8hJg3HwDQ5cevOCdNr6Vp6JiZq+F0Wi RnMZdxX77l9BjXhWbeR26uO1x9GXcKcrTCkY49/Wf4mi+5AtqteaGshTim2JT1SDGrEKDDL DpIL5ifgNFblGwaGf9I4sHKLXa+Y1LuzGM6bGdoGQ5pomRWb4nGE7dHxG2FzYOS9GdOh6tG uZM2WNgggpKpEtbyoAKOA== X-UI-Out-Filterresults: notjunk:1; V01:K0:UFFoG5+3Hps=:TFB1yibS1bcQanhuA1g6Zc 8Y8CTKzAivhw8yISyP33/xQoFfrl4IWeR25FiTJA1LuAsfAg3M9k9JDFwXXBnYKMZATyd4XG/ dTeNCPOXOwCz7kC4YLA/jAcHaDp6GbMivYKe5ezdf6Y202R3CLTK6HVcpqeUflOHNwB3aGNM/ H5xhtuVBl6p/Dvg9W0pel5xqvoCyQPN7TZp/L3zdPvX0rjWGqOOK+Fvh6IDQJz0EO0fG801+o oZzvXCafr5AnQgg07KEQCJxvR5D5UeU5ZpAz5KsXRUX05iBXkNYrwDdlQVGpyaxtO4eQqZ+YX YBArC9yEo3p8qKoUfJTOIbAkP8U3HrKCLQxXG2IHp6dX3wtjSoB8Pw/lZN7M7uVx77fRq9AIl 2UIPXHvDMCZyKihXRhosB3OCyMpNmjG8w/7JtROvzpq6Uz/bX04HRb9Yt//VaFRM1HdQRc+oW KNq0JKNxyKY0+R4kmrcl449chjUb60t1TMuWg4/qMKA9klDgShiPYR5TbjdP0aEuZIPHJtigO pvl4gbYzZJIG16P5yLCcYHwv+Lg3pZgQE5GsfIKWeAckPK4MWCygOMnSJfDtF2nKvzWuWwLK7 ALUbUK3YndlLwwUUHXUj/d+PBXPRunVC+n99J2+Bay1f11N78G/8T2gQ4kVaikaDgy7UcM3hD hyzGWgCtvGHRPeHKg9mwxhYRNUM9SzTN8o6EcINV/pne64JNIt3aaCVkKgOLagAxgH253npVc 7qorqgKsa3y6WNfxXVQibEoqpfiAyVCPSmMuhQ== Sender: linux-samsung-soc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-samsung-soc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP While experimenting with older compiler versions, I ran into a warning that no longer shows up on gcc-4.8 or newer: drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds This is an off-by-one bug, leading to an access before the start of the array, while newer compilers silently assume this undefined behavior cannot happen and leave the loop at index 0 if no other entry matches. As Sylvester explains, we actually need to ensure that the value is within the range, so this reworks the loop to be easier to parse correctly, and an additional check to fall back on the first format value for any unexpected input. I found an existing gcc bug for it and added a reduced version of the function there. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") Signed-off-by: Arnd Bergmann --- v2: rework logic rather than removing it. --- drivers/media/platform/s3c-camif/camif-capture.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c index 437395a61065..002609be1400 100644 --- a/drivers/media/platform/s3c-camif/camif-capture.c +++ b/drivers/media/platform/s3c-camif/camif-capture.c @@ -1256,15 +1256,18 @@ static void __camif_subdev_try_format(struct camif_dev *camif, { const struct s3c_camif_variant *variant = camif->variant; const struct vp_pix_limits *pix_lim; - int i = ARRAY_SIZE(camif_mbus_formats); + int i; /* FIXME: constraints against codec or preview path ? */ pix_lim = &variant->vp_pix_limits[VP_CODEC]; - while (i-- >= 0) + for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) if (camif_mbus_formats[i] == mf->code) break; + if (i == ARRAY_SIZE(camif_mbus_formats)) + mf->code = camif_mbus_formats[0]; + mf->code = camif_mbus_formats[i]; if (pad == CAMIF_SD_PAD_SINK) {