On 11/07/2024 00:09, Kees Cook wrote:
The only direct user of struct hfi_session_release_buffer_pkt is
pkt_session_unset_buffers() which sets "num_buffers" before using it
as a loop counter for accessing "buffer_info". Add the __counted_by
annotation to reflect the relationship.
Signed-off-by: Kees Cook <kees@xxxxxxxxxx>
---
Cc: Stanimir Varbanov <stanimir.k.varbanov@xxxxxxxxx>
Cc: Vikash Garodia <quic_vgarodia@xxxxxxxxxxx>
Cc: "Bryan O'Donoghue" <bryan.odonoghue@xxxxxxxxxx>
Cc: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
Cc: "Gustavo A. R. Silva" <gustavoars@xxxxxxxxxx>
Cc: linux-media@xxxxxxxxxxxxxxx
Cc: linux-arm-msm@xxxxxxxxxxxxxxx
Cc: linux-hardening@xxxxxxxxxxxxxxx
---
drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
index 42825f07939d..1adf2d2ae5f2 100644
--- a/drivers/media/platform/qcom/venus/hfi_cmds.h
+++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
@@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
u32 extradata_size;
u32 response_req;
u32 num_buffers;
- u32 buffer_info[];
+ u32 buffer_info[] __counted_by(num_buffers);
};
struct hfi_session_release_resources_pkt {
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@xxxxxxxxxx>