Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1931996imm;
        Thu, 24 May 2018 03:08:53 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoMeMCxcq4ZnvGAyfFXCql/ekrOhQHCATJj7RNOE+Vwdv8b24EQ7cwrJ18cTPewWIzhDeEJ
X-Received: by 2002:a17:902:7402:: with SMTP id g2-v6mr6874812pll.246.1527156533930;
        Thu, 24 May 2018 03:08:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527156533; cv=none;
        d=google.com; s=arc-20160816;
        b=KD809iQ265jEDaIE5Ur7XuWeZ+AiEW6h1/UTFr/tslnoqyeNmd1C1uKJpGd7C9oKHn
         arjehPwEFefZrX+ZLuGHv43H/Tm4cMZjRkejCQP7LcBEvoYxhKjbSkiWDHnHc9x1g306
         yYbpZDJtJCk9mcP7q1ArFQGwbEAbKG8aaJ5N2drkqnrJSbnZVP74Uiqe2IzujKF+fptX
         KNQo296OfaTMmPQNV/ZGFuXJoAJ9Zz4kUCWfnPkNSl56ao38BIqjtHRjplD5BI8KA6PK
         ZrfpBV4xlSyhGKL7Kf4CcL6rccpxp3lJseJ/xIojLFjeqqkBv9DBuT8uO5djS6z80pt+
         7llg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=QmSuHcjRHDlkIkclg0D09ADVMutpzBVu1T06xaQvV9U=;
        b=Jq3N76ftb4zBtMnSCUaoBAs0WSh4UbttCpaI3qb9qLSYw1v4TP6vpM9GYGt4chiY94
         kerabwXg6b9Xefb8kXv+6kP8ok0H0cQR45XfdbVN2bBA1X9WeVldlne91NFdeu4xTQd3
         dWZbLzQXVjg+HR92jv/y6W6NKFN3yCYPDxFchFUWxJRtinlVTmRMfnmXV+hs4jN0aU+Z
         eWK/YIfKmikbMpwsijMYnsPnF7wl7x2SmSUFZtrcpWsr6dKTlQx+saMSGmjFJetjH1qk
         dCvFvKafbniJ7i09vrO2YMGqLB6AyY5PrpoZt7E3J+ZlxhNMWa7fZQ/Vjkgg5HGmACcu
         O0cw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zHbM4XJj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d18-v6si21192167plr.265.2018.05.24.03.08.39;
        Thu, 24 May 2018 03:08:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zHbM4XJj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1031663AbeEXKH6 (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 06:07:58 -0400
Received: from mail.kernel.org ([198.145.29.99]:55186 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1031688AbeEXKGK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 06:06:10 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6DD5D20870;
        Thu, 24 May 2018 10:06:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527156369;
        bh=YusmXrASPIOaYcNeWFEXRRFzUtmR8uDYmMSspdi3xZY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=zHbM4XJjQMM8BAb4qjCAZMpQMpMpBT7Tayrwfod42ZAABkUhv0jT0jR8oWD+YO8/1
         UHgRIzvDsSF1LYFRjK6toblaQNOdmV/tQ+o2uWCsN6xRSweam38bn8LtwnFeTJcaik
         RshVpnXVMbVGXyMSdQ8HRySYVx10Z/qb4O5ZZRw4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
        Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
        Sakari Ailus <sakari.ailus@linux.intel.com>,
        Mauro Carvalho Chehab <mchehab@s-opensource.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.16 137/161] media: s3c-camif: fix out-of-bounds array access
Date:   Thu, 24 May 2018 11:39:22 +0200
Message-Id: <20180524093034.772463817@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180524093018.331893860@linuxfoundation.org>
References: <20180524093018.331893860@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

[ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ]

While experimenting with older compiler versions, I ran
into a warning that no longer shows up on gcc-4.8 or newer:

drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format':
drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds

This is an off-by-one bug, leading to an access before the start of the
array, while newer compilers silently assume this undefined behavior
cannot happen and leave the loop at index 0 if no other entry matches.

As Sylvester explains, we actually need to ensure that the
value is within the range, so this reworks the loop to be
easier to parse correctly, and an additional check to fall
back on the first format value for any unexpected input.

I found an existing gcc bug for it and added a reduced version
of the function there.

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3
Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/platform/s3c-camif/camif-capture.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/media/platform/s3c-camif/camif-capture.c
+++ b/drivers/media/platform/s3c-camif/camif-capture.c
@@ -1256,16 +1256,17 @@ static void __camif_subdev_try_format(st
 {
 	const struct s3c_camif_variant *variant = camif->variant;
 	const struct vp_pix_limits *pix_lim;
-	int i = ARRAY_SIZE(camif_mbus_formats);
+	unsigned int i;
 
 	/* FIXME: constraints against codec or preview path ? */
 	pix_lim = &variant->vp_pix_limits[VP_CODEC];
 
-	while (i-- >= 0)
+	for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
 		if (camif_mbus_formats[i] == mf->code)
 			break;
 
-	mf->code = camif_mbus_formats[i];
+	if (i == ARRAY_SIZE(camif_mbus_formats))
+		mf->code = camif_mbus_formats[0];
 
 	if (pad == CAMIF_SD_PAD_SINK) {
 		v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,