From patchwork Tue Sep 12 20:09:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 112389 Delivered-To: patch@linaro.org Received: by 10.140.106.117 with SMTP id d108csp42380qgf; Tue, 12 Sep 2017 13:09:41 -0700 (PDT) X-Google-Smtp-Source: AOwi7QDVRi+UkJhF1y4mIsg7rcwmwBBtgUFHV2vaPgsnNqlc7G01YXq/bmkuyBT91gKaS0GXsI1/ X-Received: by 10.36.23.88 with SMTP id 85mr1159025ith.86.1505246981384; Tue, 12 Sep 2017 13:09:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1505246981; cv=none; d=google.com; s=arc-20160816; b=aUItrnLz9nM6ftBjWGx5OhLoQoHNYNCwWm14RClQLT5baCy6GnN+bo5sfThgML4Ue1 C/YrTgybujKWTk3aL+ELcsb3sg95mqzhaFkM5JdOrRd+6mvLRaPor1E36yT8OIFdAez8 T0FVkNyFcNGAnjF00NdBfNwRpznPG0lC/ceswy4+GaL7qtsrOzMZqJNvLPrYoIKThNgx 4SZLmAXiUHFnlzyjKqDsGUo+w+tnhCOMstLrC/DyG78Vo5aUt544TesfrKW/zrUKbkTf IjQO2GkTx/GRnUXB73ilDa4rhEZPn4hkqI+Yhi2TgX2aNsXs60nQOgOolYkRSXmAdHXH ia9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=wmtG9zX+UELer629tNGp15DdhfDYddxzQ/l+0LYUOqA=; b=dALAYCWkV2sNkJnXX3Y16e1dAudmJBtMmvX451CY0Jtz+sUSAG5mfnWB5csUNLZc6U Ba+llrBLDvpiUcNytpg5dmB4+qrGiyFDdpdDE+xAepc3evdAVxc04iyEJqqQDXufS1SO XbOx9e7H18UZYczwj6EotPmt1zjkBOoynZtlFO8nlTRM2Iy9sdb8mWNNtlE2e4TmDri6 5oEQNEhar3IqFlqdFn6MlU9aXFzqBgk6vPd4r+oXgwY1aSMov8qUUKv6ilKkqUdRLAzL VFvWj5QS39wOVzyA3RsQyYlYDNQdw7dqRrEph/TFHJ+gJk66/Wxon+kFzdxapeYEPUOp 1eVg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-samsung-soc-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a1si10069200iog.324.2017.09.12.13.09.41; Tue, 12 Sep 2017 13:09:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-samsung-soc-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-samsung-soc-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751471AbdILUJk (ORCPT + 4 others); Tue, 12 Sep 2017 16:09:40 -0400 Received: from mout.kundenserver.de ([212.227.17.10]:59252 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750992AbdILUJj (ORCPT ); Tue, 12 Sep 2017 16:09:39 -0400 Received: from wuerfel.lan ([95.208.190.237]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.145]) with ESMTPA (Nemesis) id 0LkhPw-1dJter2B1g-00aW4h; Tue, 12 Sep 2017 22:09:33 +0200 From: Arnd Bergmann To: Sylwester Nawrocki , Mauro Carvalho Chehab Cc: Arnd Bergmann , linux-media@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] [media] s3c-camif: fix out-of-bounds array access Date: Tue, 12 Sep 2017 22:09:18 +0200 Message-Id: <20170912200932.3634089-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:7Y2H/kfNC81X9jnQ7yY2GZrWCNkfP41R2oNj5IHtNlAZaNGAdE8 1DrHoRJC44CNw0TwR41ap9aJPEtA/kSEdS+sRZdwARSEWdOemMfZEOOBs9gSExYPM893GsS 2XOKZ/FnkiCsmsGZhwH8b+A71LQ6dZmv6/ULEsMLEcPxCatCOpBzTFX/p6K85smRiaiwljV Zy4USPrkaV3k5UJvT2bog== X-UI-Out-Filterresults: notjunk:1; V01:K0:oZGdtugrh0g=:5JbJkd8hGa0RuILAIwZR1B zwo3f5WNe52n6TVKJ42Y8YOiKq/WsRABSXUMsf5thryZCrVLg/Zf/76FCSL7/7Zvj5Y5AEo76 IvHWKSZrpamTj7vUgPEUueu6cOLLIeURZ8cmrPBKtBNClGRA0LrzJdut6zPqdo6xGO28tgUKO yupmiEcyXwZ7JdtXMrg1mCTqwmGH3iJ2aZ/gJ9ZpQipdnuMvmjb4wo8OmZTOT9bKSw2t4FGmn OWhpvFyel4iD9EvORK1+dZweHDWzMW0GJF8s54EJDSdmlXZy5vWJkWTjv4xsufbCvot/0nypY i1G8VKcN1WB1+GphGd/dmyh8vwRwOr1+hAolKOUlVGWiD9CywuLYYeVPUAS8sw9SGH4ty99NJ Sk3LnqMtGE48Fu9E/LyJUXjYnqA960zWrW1yYHkDurk9QPXsWrBl+8Pc7pQWtHSFy2BCFO367 xxEwR7cb73GPDOL/xk0Czt8MjFxSr5nRm+3XEnbmy8dylXn+3thaNaZpZ4wI8UIW72eGaPKcK 1mopu2a56sggjxHVS5pLgJHLFL1Vl8nuvyRJyYJusrK/IgMmG+C1KKPhUMFYOTnCTmWwrKzGx WYJhIgGDXWkF8LZFeGPCKvxzdJpEBQcAFRKDZS7asL3ec2nrzQiREOXfzupOh5XU/sQGXnTCQ Mkk9HaPjr11XaqEJlDL3CF1mz94s2z4d+KeIT0zCuh355wRI2LChQ0dBanbYlTTZoM+1c6lzI CNyPhaiDnidNAr8OMiKkKex+Ha9lYdhE/SiAsw== Sender: linux-samsung-soc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-samsung-soc@vger.kernel.org While experimenting with older compiler versions, I ran into a warning that no longer shows up on gcc-4.8 or newer: drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds This is an off-by-one bug, leading to an access before the start of the array, while newer compilers silently assume this undefined behavior cannot happen and leave the loop at index 0 if no other entry matches. Since the code is not only wrong, but also has no effect besides the out-of-bounds access, this patch just removes it. I found an existing gcc bug for it and added a reduced version of the function there. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") Signed-off-by: Arnd Bergmann --- drivers/media/platform/s3c-camif/camif-capture.c | 7 ------- 1 file changed, 7 deletions(-) -- 2.9.0 -- To unsubscribe from this list: send the line "unsubscribe linux-samsung-soc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c index 25c7a7d42292..c6921f6a5a6a 100644 --- a/drivers/media/platform/s3c-camif/camif-capture.c +++ b/drivers/media/platform/s3c-camif/camif-capture.c @@ -1256,17 +1256,10 @@ static void __camif_subdev_try_format(struct camif_dev *camif, { const struct s3c_camif_variant *variant = camif->variant; const struct vp_pix_limits *pix_lim; - int i = ARRAY_SIZE(camif_mbus_formats); /* FIXME: constraints against codec or preview path ? */ pix_lim = &variant->vp_pix_limits[VP_CODEC]; - while (i-- >= 0) - if (camif_mbus_formats[i] == mf->code) - break; - - mf->code = camif_mbus_formats[i]; - if (pad == CAMIF_SD_PAD_SINK) { v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH, ffs(pix_lim->out_width_align) - 1,