> -----Original Message----- > From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx] > Sent: Thursday, March 10, 2022 2:57 PM > To: Ming Qian <ming.qian@xxxxxxx> > Cc: linux-media@xxxxxxxxxxxxxxx > Subject: [EXT] [bug report] media: amphion: implement windsor encoder rpc > interface > > Caution: EXT Email > > Hello Ming Qian, > > The patch d82977796c48: "media: amphion: implement windsor encoder rpc > interface" from Feb 24, 2022, leads to the following Smatch static checker > warning: > > drivers/media/platform/amphion/vpu_windsor.c:823 > vpu_windsor_config_memory_resource() > error: buffer overflow 'pool->enc_frames' 6 <= 7 > > drivers/media/platform/amphion/vpu_windsor.c > 807 int vpu_windsor_config_memory_resource(struct vpu_shared_addr > *shared, > 808 u32 instance, > 809 u32 type, > 810 u32 index, > 811 struct vpu_buffer *buf) > 812 { > 813 struct vpu_enc_mem_pool *pool; > 814 struct vpu_enc_memory_resource *res; > 815 > 816 if (instance >= VID_API_NUM_STREAMS) > ^^^^^^^^^^^^^^^^^^^ This is 8. > > 817 return -EINVAL; > 818 > 819 pool = get_mem_pool(shared, instance); > 820 > 821 switch (type) { > 822 case MEM_RES_ENC: > --> 823 res = &pool->enc_frames[index]; > > This only has WINDSOR_MAX_SRC_FRAMES elements. Hi Dan, I don't get the point, the instance and index is different, and one vpu core can support 8 instances (VID_API_NUM_STREAMS), The enc_frame count of one instance won't exceed 6 (WINDSOR_MAX_SRC_FRAMES). Maybe I should add a check for the index like: If (index >= ARRAY_SIZE(pool->enc_frames)) return -EINVAL; > > 824 break; > 825 case MEM_RES_REF: > 826 res = &pool->ref_frames[index]; > 827 break; > 828 case MEM_RES_ACT: > 829 res = &pool->act_frame; > 830 break; > 831 default: > 832 return -EINVAL; > 833 } > 834 > 835 res->phys = buf->phys; > 836 res->virt = buf->phys - shared->boot_addr; > 837 res->size = buf->length; > 838 > 839 return 0; > 840 } > > regards, > dan carpenter
