[bug report] media: coda: jpeg: add CODA960 JPEG encoder support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Philipp Zabel,

The patch 96f6f62c4656: "media: coda: jpeg: add CODA960 JPEG encoder
support" from Dec 12, 2019, leads to the following Smatch static
checker warning:

	drivers/media/platform/chips-media/coda-jpeg.c:622 coda9_jpeg_gen_enc_huff_tab()
	warn: check that incremented offset 'k' is capped

drivers/media/platform/chips-media/coda-jpeg.c
    583 static int coda9_jpeg_gen_enc_huff_tab(struct coda_ctx *ctx, int tab_num,
    584                                        int *ehufsi, int *ehufco)
    585 {
    586         int i, j, k, lastk, si, code, maxsymbol;
    587         const u8 *bits, *huffval;
    588         struct {
    589                 int size[256];
    590                 int code[256];
    591         } *huff;
    592         static const unsigned char *huff_tabs[4] = {
    593                 luma_dc, luma_ac, chroma_dc, chroma_ac,
    594         };
    595         int ret = -EINVAL;
    596 
    597         huff = kzalloc(sizeof(*huff), GFP_KERNEL);
    598         if (!huff)
    599                 return -ENOMEM;
    600 
    601         bits = huff_tabs[tab_num];
    602         huffval = huff_tabs[tab_num] + 16;
    603 
    604         maxsymbol = tab_num & 1 ? 256 : 16;
    605 
    606         /* Figure C.1 - Generation of table of Huffman code sizes */
    607         k = 0;
    608         for (i = 1; i <= 16; i++) {
    609                 j = bits[i - 1];
    610                 if (k + j > maxsymbol)
    611                         goto out;
    612                 while (j--)
    613                         huff->size[k++] = i;
    614         }
    615         lastk = k;
    616 
    617         /* Figure C.2 - Generation of table of Huffman codes */
    618         k = 0;
    619         code = 0;
    620         si = huff->size[0];
    621         while (k < lastk) {
                       ^^^^^^^^^
Here we know that k is valid.

--> 622                 while (huff->size[k] == si) {
    623                         huff->code[k++] = code;

But this loop iterates through k without checking if k is still valid.
How do we know that the huff->size[k] check won't read beyond the end
of the loop?  Presumably it won't go far beyond the end before it hits
something which is != si.

    624                         code++;
    625                 }
    626                 if (code >= (1 << si))
    627                         goto out;
    628                 code <<= 1;
    629                 si++;
    630         }
    631 
    632         /* Figure C.3 - Ordering procedure for encoding procedure code tables */
    633         for (k = 0; k < lastk; k++) {
    634                 i = huffval[k];
    635                 if (i >= maxsymbol || ehufsi[i])
    636                         goto out;
    637                 ehufco[i] = huff->code[k];
    638                 ehufsi[i] = huff->size[k];
    639         }
    640 
    641         ret = 0;
    642 out:
    643         kfree(huff);
    644         return ret;
    645 }

regards,
dan carpenter
[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux