As warned by gcc:
drivers/media/v4l2-core/v4l2-fwnode.c:76 v4l2_fwnode_endpoint_parse_csi_bus() error: buffer overflow 'array' 5 <= u16max
That's because, in thesis, the routine might have called with
some value at bus->num_data_lanes.
While this doesn't happen, in practice, some code change could
cause crashes, so, better to fix it.
Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx>
---
drivers/media/v4l2-core/v4l2-fwnode.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-fwnode.c b/drivers/media/v4l2-core/v4l2-fwnode.c
index 153c53ca3925..dadffde1c729 100644
--- a/drivers/media/v4l2-core/v4l2-fwnode.c
+++ b/drivers/media/v4l2-core/v4l2-fwnode.c
@@ -56,24 +56,26 @@ static int v4l2_fwnode_endpoint_parse_csi_bus(struct fwnode_handle *fwnode,
bus->data_lanes[i] = array[i];
}
- }
- rval = fwnode_property_read_u32_array(fwnode, "lane-polarities", NULL,
- 0);
- if (rval > 0) {
- u32 array[ARRAY_SIZE(bus->lane_polarities)];
+ rval = fwnode_property_read_u32_array(fwnode,
+ "lane-polarities",
+ NULL, 0);
+ if (rval > 0) {
+ u32 array[ARRAY_SIZE(bus->lane_polarities)];
- if (rval < 1 + bus->num_data_lanes /* clock + data */) {
- pr_warn("too few lane-polarities entries (need %u, got %u)\n",
- 1 + bus->num_data_lanes, rval);
- return -EINVAL;
+ if (rval < 1 + bus->num_data_lanes /* clock + data */) {
+ pr_warn("too few lane-polarities entries (need %u, got %u)\n",
+ 1 + bus->num_data_lanes, rval);
+ return -EINVAL;
+ }
+
+ fwnode_property_read_u32_array(fwnode,
+ "lane-polarities", array,
+ 1 + bus->num_data_lanes);
+
+ for (i = 0; i < 1 + bus->num_data_lanes; i++)
+ bus->lane_polarities[i] = array[i];
}
-
- fwnode_property_read_u32_array(fwnode, "lane-polarities", array,
- 1 + bus->num_data_lanes);
-
- for (i = 0; i < 1 + bus->num_data_lanes; i++)
- bus->lane_polarities[i] = array[i];
}
if (!fwnode_property_read_u32(fwnode, "clock-lanes", &v)) {
--
2.9.4
