On Wed, Sep 13, 2017 at 11:25 AM, Sylwester Nawrocki
<s.nawrocki@xxxxxxxxxxx> wrote:
> On 09/12/2017 10:09 PM, Arnd Bergmann wrote:
>> {
>> const struct s3c_camif_variant *variant = camif->variant;
>> const struct vp_pix_limits *pix_lim;
>> - int i = ARRAY_SIZE(camif_mbus_formats);
>>
>> /* FIXME: constraints against codec or preview path ? */
>> pix_lim = &variant->vp_pix_limits[VP_CODEC];
>>
>> - while (i-- >= 0)
>> - if (camif_mbus_formats[i] == mf->code)
>> - break;
>> -
>> - mf->code = camif_mbus_formats[i];
>
>
> Interesting finding... the function needs to ensure mf->code is set
> to one of supported values by the driver, so instead of removing
> how about changing the above line to:
>
> if (i < 0)
> mf->code = camif_mbus_formats[0];
>
> ?
That would still have one of the two out-of-bounds accesses ;-)
maybe this
for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
if (camif_mbus_formats[i] == mf->code)
break;
if (i == ARRAY_SIZE(camif_mbus_formats))
mf->code = camif_mbus_formats[0];
Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-samsung-soc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
