On Mon, 22 Aug 2022 20:59:09 +0200,
Pierre-Louis Bossart wrote:
>
> +#define SSP_BLOB_V1_0_SIZE 84
> +#define SSP_BLOB_V1_0_MDIVC_OFFSET 19 /* offset in u32 */
> +#define SSP_BLOB_V1_5_SIZE 96
> +#define SSP_BLOB_V1_5_MDIVC_OFFSET 21 /* offset in u32 */
This is 84 in bytes, which is equal with SSP_BLOB_V1_0_size.
So...
> + for (j = 0; j < fmt->fmt_count; j++) {
> + u32 *blob;
> + int mdivc_offset;
> +
> + if (cfg->config.size >= SSP_BLOB_V1_0_SIZE) {
> + blob = (u32 *)cfg->config.caps;
... the size check is >= 84. If cfg->config.size==84, it may be an
out-of-bound read at blob[SSP_BLOB_V1_5_MDIVC_OFFSET]?
I don't think this would really matter in practice, but it's better to
have a proper check, of course.
thanks,
Takashi
