Hi!
On 6/27/23 10:27, yqsun1997@xxxxxxxxx wrote:
From: yqsun1997 <yqsun1997@xxxxxxxxx>
Because format in struct img_image_buffer max index is IMG_MAX_PLANES ==3,
The num_planes max index is 8.so will be OOB like in mdp_prepare_buffer.
static void mdp_prepare_buffer(struct img_image_buffer *b,
struct mdp_frame *frame, struct vb2_buffer *vb)
{
struct v4l2_pix_format_mplane *pix_mp = &frame->format.fmt.pix_mp;
unsigned int i;
b->format.colorformat = frame->mdp_fmt->mdp_color;
b->format.ycbcr_prof = frame->ycbcr_prof;
for (i = 0; i < pix_mp->num_planes; ++i) {
Unless there is a bug in the driver, pix_mp->num_planes will never
exceed 3. Userspace might certainly pass more than 3 planes, but only
the first pix_mp->num_planes should ever be used.
If pix_mp->num_planes can ever be more than 3, then that would be the
real bug.
Regards,
Hans
u32 stride = mdp_fmt_get_stride(frame->mdp_fmt,
pix_mp->plane_fmt[i].bytesperline, i);
b->format.plane_fmt[i].stride = stride; //oob
......
Signed-off-by: yqsun1997 <yqsun1997@xxxxxxxxx>
---
drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h
index ae0396806..e2e991a34 100644
--- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h
+++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h
@@ -11,7 +11,7 @@
#define IMG_MAX_HW_INPUTS 3
#define IMG_MAX_HW_OUTPUTS 4
-#define IMG_MAX_PLANES 3
+#define IMG_MAX_PLANES 8
#define IMG_MAX_COMPONENTS 20
struct img_crop {
