Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
MIME-Version: 1.0
References: <20210812170043.1046669-1-trix@redhat.com>
In-Reply-To: <20210812170043.1046669-1-trix@redhat.com>
From:   Tim Harvey <tharvey@gateworks.com>
Date:   Thu, 19 Aug 2021 09:43:26 -0700
Message-ID: <CAJ+vNU3Z54Mbr8s6JTOtCsNorV_sYZg39o8w44mLX4d-F9=L4g@mail.gmail.com>
Subject: Re: [PATCH] media: TDA1997x: handle short reads of hdmi info frame.
To:     trix@redhat.com
Cc:     Mauro Carvalho Chehab <mchehab@kernel.org>,
        Hans Verkuil <hans.verkuil@cisco.com>,
        linux-media <linux-media@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Thu, Aug 12, 2021 at 10:01 AM <trix@redhat.com> wrote:
>
> From: Tom Rix <trix@redhat.com>
>
> Static analysis reports this representative problem
>
> tda1997x.c:1939: warning: 7th function call argument is an uninitialized
> value
>
> The 7th argument is buffer[0], which is set in the earlier call to
> io_readn().  When io_readn() call to io_read() fails with the first
> read, buffer[0] is not set and 0 is returned and stored in len.
>
> The later call to hdmi_infoframe_unpack()'s size parameter is the
> static size of buffer, always 40, so a short read is not caught
> in hdmi_infoframe_unpacks()'s checking.  The variable len should be
> used instead.
>
> Zero initialize buffer to 0 so it is in a known start state.
>
> Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver")
> Signed-off-by: Tom Rix <trix@redhat.com>
> ---
>  drivers/media/i2c/tda1997x.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c
> index 1e2a263be9335..0b995424cb346 100644
> --- a/drivers/media/i2c/tda1997x.c
> +++ b/drivers/media/i2c/tda1997x.c
> @@ -1248,13 +1248,13 @@ tda1997x_parse_infoframe(struct tda1997x_state *state, u16 addr)
>  {
>         struct v4l2_subdev *sd = &state->sd;
>         union hdmi_infoframe frame;
> -       u8 buffer[40];
> +       u8 buffer[40] = { 0 };
>         u8 reg;
>         int len, err;
>
>         /* read data */
>         len = io_readn(sd, addr, sizeof(buffer), buffer);
> -       err = hdmi_infoframe_unpack(&frame, buffer, sizeof(buffer));
> +       err = hdmi_infoframe_unpack(&frame, buffer, len);
>         if (err) {
>                 v4l_err(state->client,
>                         "failed parsing %d byte infoframe: 0x%04x/0x%02x\n",
> @@ -1928,13 +1928,13 @@ static int tda1997x_log_infoframe(struct v4l2_subdev *sd, int addr)
>  {
>         struct tda1997x_state *state = to_state(sd);
>         union hdmi_infoframe frame;
> -       u8 buffer[40];
> +       u8 buffer[40] = { 0 };
>         int len, err;
>
>         /* read data */
>         len = io_readn(sd, addr, sizeof(buffer), buffer);
>         v4l2_dbg(1, debug, sd, "infoframe: addr=%d len=%d\n", addr, len);
> -       err = hdmi_infoframe_unpack(&frame, buffer, sizeof(buffer));
> +       err = hdmi_infoframe_unpack(&frame, buffer, len);
>         if (err) {
>                 v4l_err(state->client,
>                         "failed parsing %d byte infoframe: 0x%04x/0x%02x\n",
> --
> 2.26.3
>

Reviewed-By: Tim Harvey <tharvey@gateworks.com>

Tim