Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1973737imm; Thu, 24 May 2018 03:51:49 -0700 (PDT) X-Google-Smtp-Source: AB8JxZohnhOuNO/mmUOIPFCZGGaNAXkiJQsBHZniSNFBrVXVQPoEPGkUV7F51M+hd3mB15KMLGR0 X-Received: by 2002:a63:aa4c:: with SMTP id x12-v6mr5245713pgo.398.1527159109249; Thu, 24 May 2018 03:51:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527159109; cv=none; d=google.com; s=arc-20160816; b=nCri6Kf+p4BYrgJLfUEbEqJWlX5kskL3cLmqFpo73e9yao4ob2ievVd1vdOWryDJzi Dpk1uo9ugFNJAfJfMl70tLvzMpujSnCIBI0hCAIIdzCE3585LbBkRWYAO5oVMBuWDgyM lKYo9J8NOFXtLOjrgDyxItSMJjqBejZb0zCuqt7RNINQOZLEE8ijG92MDvk7ANR8n7en ntEvKu+xvMofnUGS7RhGpoBULRxZqQih8qg611U9ygC6wu5VjMugu14FccPEjeUTxv9Q 3aBb6aMw2gT9ko3NDvhVefJDZhmIm9PbJ2fJPosp31EEu0bif4wVKxzckZfvbdZKdDsX zI/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=19SsaNcPLCzu+cOIPmebP8t1P0a2/0GIq4upSz18VHE=; b=HSF0bOpmtMV4t8ODB+2Wz+BNlRLRMGQ8uwGgS/eRgkvuX/cfvag+44iTSltb2Jqngd 8+VYiTlr4L+Fy6Fq4O/8QqsfV9UWvnGbZSdqvQnU4Z01B3gwfXSbkydnFHHMTss03RB8 U310RvEfxB4UKd8Bba3D+YIjwNq/q9AQRW06vFkWvCXZ31eRSmkhKb1PztBDMsd/+m7r BzMH5pZzOWLW37s1aAxvpFdXWF3yhwANy3xtCgqRkT+0Rzc2w6PJ9YdxpyE1rqJq/jzg ZHYrALW1Dtqx8puITu43QcoDD7Yc0QoZ6LhhneD4CmrofVZPzKwQqO03bKKQsXh35MHr rB+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gRpW425s; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i125-v6si11573409pgc.88.2018.05.24.03.51.34; Thu, 24 May 2018 03:51:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gRpW425s; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032569AbeEXKtX (ORCPT + 99 others); Thu, 24 May 2018 06:49:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:37442 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030450AbeEXJ5i (ORCPT ); Thu, 24 May 2018 05:57:38 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F40C4208AE; Thu, 24 May 2018 09:57:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527155857; bh=dijrJRCdPyHHvr5s/35Qy5tQk7/zZfWxX+Ru4nJFZJM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gRpW425swFdrAveBs8PTAIaForTkVd82kFL7DUejX/yzhTb9b8Hvfcf69BHumZQW9 P5GtCB0aQAjeu55T5AWZebAot2yCQuHVGaWbAXh5ALY6FwZGNx/IczA4uBYPa6AyYu zA+R6W8FbQ/kZTRZ2Q49bEJ2Gxo21bo+Bf/jk/ks= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Arnd Bergmann , Laurent Pinchart , Sakari Ailus , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 4.14 142/165] media: s3c-camif: fix out-of-bounds array access Date: Thu, 24 May 2018 11:39:08 +0200 Message-Id: <20180524093627.822425622@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093621.979359379@linuxfoundation.org> References: <20180524093621.979359379@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Arnd Bergmann [ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ] While experimenting with older compiler versions, I ran into a warning that no longer shows up on gcc-4.8 or newer: drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds This is an off-by-one bug, leading to an access before the start of the array, while newer compilers silently assume this undefined behavior cannot happen and leave the loop at index 0 if no other entry matches. As Sylvester explains, we actually need to ensure that the value is within the range, so this reworks the loop to be easier to parse correctly, and an additional check to fall back on the first format value for any unexpected input. I found an existing gcc bug for it and added a reduced version of the function there. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") Signed-off-by: Arnd Bergmann Reviewed-by: Laurent Pinchart Acked-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/media/platform/s3c-camif/camif-capture.c +++ b/drivers/media/platform/s3c-camif/camif-capture.c @@ -1256,16 +1256,17 @@ static void __camif_subdev_try_format(st { const struct s3c_camif_variant *variant = camif->variant; const struct vp_pix_limits *pix_lim; - int i = ARRAY_SIZE(camif_mbus_formats); + unsigned int i; /* FIXME: constraints against codec or preview path ? */ pix_lim = &variant->vp_pix_limits[VP_CODEC]; - while (i-- >= 0) + for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) if (camif_mbus_formats[i] == mf->code) break; - mf->code = camif_mbus_formats[i]; + if (i == ARRAY_SIZE(camif_mbus_formats)) + mf->code = camif_mbus_formats[0]; if (pad == CAMIF_SD_PAD_SINK) { v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,