Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1931996imm; Thu, 24 May 2018 03:08:53 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoMeMCxcq4ZnvGAyfFXCql/ekrOhQHCATJj7RNOE+Vwdv8b24EQ7cwrJ18cTPewWIzhDeEJ X-Received: by 2002:a17:902:7402:: with SMTP id g2-v6mr6874812pll.246.1527156533930; Thu, 24 May 2018 03:08:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527156533; cv=none; d=google.com; s=arc-20160816; b=KD809iQ265jEDaIE5Ur7XuWeZ+AiEW6h1/UTFr/tslnoqyeNmd1C1uKJpGd7C9oKHn arjehPwEFefZrX+ZLuGHv43H/Tm4cMZjRkejCQP7LcBEvoYxhKjbSkiWDHnHc9x1g306 yYbpZDJtJCk9mcP7q1ArFQGwbEAbKG8aaJ5N2drkqnrJSbnZVP74Uiqe2IzujKF+fptX KNQo296OfaTMmPQNV/ZGFuXJoAJ9Zz4kUCWfnPkNSl56ao38BIqjtHRjplD5BI8KA6PK ZrfpBV4xlSyhGKL7Kf4CcL6rccpxp3lJseJ/xIojLFjeqqkBv9DBuT8uO5djS6z80pt+ 7llg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=QmSuHcjRHDlkIkclg0D09ADVMutpzBVu1T06xaQvV9U=; b=Jq3N76ftb4zBtMnSCUaoBAs0WSh4UbttCpaI3qb9qLSYw1v4TP6vpM9GYGt4chiY94 kerabwXg6b9Xefb8kXv+6kP8ok0H0cQR45XfdbVN2bBA1X9WeVldlne91NFdeu4xTQd3 dWZbLzQXVjg+HR92jv/y6W6NKFN3yCYPDxFchFUWxJRtinlVTmRMfnmXV+hs4jN0aU+Z eWK/YIfKmikbMpwsijMYnsPnF7wl7x2SmSUFZtrcpWsr6dKTlQx+saMSGmjFJetjH1qk dCvFvKafbniJ7i09vrO2YMGqLB6AyY5PrpoZt7E3J+ZlxhNMWa7fZQ/Vjkgg5HGmACcu O0cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zHbM4XJj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d18-v6si21192167plr.265.2018.05.24.03.08.39; Thu, 24 May 2018 03:08:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zHbM4XJj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031663AbeEXKH6 (ORCPT + 99 others); Thu, 24 May 2018 06:07:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:55186 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031688AbeEXKGK (ORCPT ); Thu, 24 May 2018 06:06:10 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6DD5D20870; Thu, 24 May 2018 10:06:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527156369; bh=YusmXrASPIOaYcNeWFEXRRFzUtmR8uDYmMSspdi3xZY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zHbM4XJjQMM8BAb4qjCAZMpQMpMpBT7Tayrwfod42ZAABkUhv0jT0jR8oWD+YO8/1 UHgRIzvDsSF1LYFRjK6toblaQNOdmV/tQ+o2uWCsN6xRSweam38bn8LtwnFeTJcaik RshVpnXVMbVGXyMSdQ8HRySYVx10Z/qb4O5ZZRw4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Arnd Bergmann , Laurent Pinchart , Sakari Ailus , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 4.16 137/161] media: s3c-camif: fix out-of-bounds array access Date: Thu, 24 May 2018 11:39:22 +0200 Message-Id: <20180524093034.772463817@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093018.331893860@linuxfoundation.org> References: <20180524093018.331893860@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Arnd Bergmann [ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ] While experimenting with older compiler versions, I ran into a warning that no longer shows up on gcc-4.8 or newer: drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds This is an off-by-one bug, leading to an access before the start of the array, while newer compilers silently assume this undefined behavior cannot happen and leave the loop at index 0 if no other entry matches. As Sylvester explains, we actually need to ensure that the value is within the range, so this reworks the loop to be easier to parse correctly, and an additional check to fall back on the first format value for any unexpected input. I found an existing gcc bug for it and added a reduced version of the function there. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") Signed-off-by: Arnd Bergmann Reviewed-by: Laurent Pinchart Acked-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/media/platform/s3c-camif/camif-capture.c +++ b/drivers/media/platform/s3c-camif/camif-capture.c @@ -1256,16 +1256,17 @@ static void __camif_subdev_try_format(st { const struct s3c_camif_variant *variant = camif->variant; const struct vp_pix_limits *pix_lim; - int i = ARRAY_SIZE(camif_mbus_formats); + unsigned int i; /* FIXME: constraints against codec or preview path ? */ pix_lim = &variant->vp_pix_limits[VP_CODEC]; - while (i-- >= 0) + for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) if (camif_mbus_formats[i] == mf->code) break; - mf->code = camif_mbus_formats[i]; + if (i == ARRAY_SIZE(camif_mbus_formats)) + mf->code = camif_mbus_formats[0]; if (pad == CAMIF_SD_PAD_SINK) { v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,