On 27.07.2023 06:34, Vikash Garodia wrote:
> Supported codec bitmask is populated from the payload from venus firmware.
> There is a possible case when all the bits in the codec bitmask is set. In
> such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized.
> Now while filling the caps for encoder, it can lead to access the caps
> array beyong 32 index. Hence leading to OOB write.
> The fix counts the supported encoder and decoder. If the count is more than
> max, then it skips accessing the caps.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
> Signed-off-by: Vikash Garodia <quic_vgarodia@xxxxxxxxxxx>
> ---
> drivers/media/platform/qcom/venus/hfi_parser.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c
> index ec73cac..651e215 100644
> --- a/drivers/media/platform/qcom/venus/hfi_parser.c
> +++ b/drivers/media/platform/qcom/venus/hfi_parser.c
> @@ -14,11 +14,26 @@
> typedef void (*func)(struct hfi_plat_caps *cap, const void *data,
> unsigned int size);
>
> +static int count_setbits(u32 input)
hweight_long()?
Konrad
