On 11/6/2024 3:53 PM, Bryan O'Donoghue wrote: > On 06/11/2024 07:25, Vikash Garodia wrote: >>>> cap = &caps[core->codecs_count++]; >>>> cap->codec = BIT(bit); >>>> cap->domain = VIDC_SESSION_TYPE_ENC; >>>> >>> I don't see how codecs_count could be greater than the control, since you >>> increment by one on each loop but >= is fine too I suppose. >> Assume the payload from malicious firmware is packed like below >> HFI_PROPERTY_PARAM_CODEC_SUPPORTED >> HFI_PROPERTY_PARAM_CODEC_SUPPORTED >> HFI_PROPERTY_PARAM_CODEC_SUPPORTED >> ..... >> for 32 or more instances of above type > > But you do this > > cap = &caps[core->codecs_count++]; > > for each bit. Yes. Let say that packet is written more than 32 times in the payload response from bad firmware and each has 1 bit set. core->codecs_count would be incremented beyond the allocated space. Regards, Vikash > > Anyway consider Dmitry's input re only calling this function once instead. > > --- > bod
