kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   c9f801deb73d69cb815199861d1f433ea476f4a2
  2.   patches.suse
  3.   media-imx-jpeg-Fix-potential-array-out-of-bounds-in-.patch
Blob Blame History Raw 
From e490fa1be5fe820029aa2ff2f70bcbbcebc11d28 Mon Sep 17 00:00:00 2001
From: Mirela Rabulea <mirela.rabulea@oss.nxp.com>
Date: Tue, 8 Mar 2022 14:16:57 +0100
Subject: [PATCH] media: imx-jpeg: Fix potential array out of bounds in
 queue_setup
Git-commit: e490fa1be5fe820029aa2ff2f70bcbbcebc11d28
References: git-fixes
Patch-mainline: v5.19-rc1

Fix smatch warning in mxc_jpeg_queue_setup, check *nplanes against
current format:

drivers/media/platform/imx-jpeg/mxc-jpeg.c:1070
mxc_jpeg_queue_setup()
         warn: potential user controlled iterator 'i' (array size 2 vs 7)

Signed-off-by: Mirela Rabulea <mirela.rabulea@oss.nxp.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
index 8b33a3bca867..87d91e927747 100644
--- a/drivers/media/platform/imx-jpeg/mxc-jpeg.c
+++ b/drivers/media/platform/imx-jpeg/mxc-jpeg.c
@@ -1081,6 +1081,8 @@ static int mxc_jpeg_queue_setup(struct vb2_queue *q,
 
 	/* Handle CREATE_BUFS situation - *nplanes != 0 */
 	if (*nplanes) {
+		if (*nplanes != q_data->fmt->colplanes)
+			return -EINVAL;
 		for (i = 0; i < *nplanes; i++) {
 			if (sizes[i] < q_data->sizeimage[i])
 				return -EINVAL;
-- 
2.35.3
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.