lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20230214102827.920927-1-arnd@kernel.org>
Date:   Tue, 14 Feb 2023 11:28:20 +0100
From:   Arnd Bergmann <arnd@...nel.org>
To:     Mirela Rabulea <mirela.rabulea@....com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Shawn Guo <shawnguo@...nel.org>,
        Sascha Hauer <s.hauer@...gutronix.de>,
        Hans Verkuil <hverkuil-cisco@...all.nl>,
        Ming Qian <ming.qian@....com>
Cc:     Arnd Bergmann <arnd@...db.de>, NXP Linux Team <linux-imx@....com>,
        Pengutronix Kernel Team <kernel@...gutronix.de>,
        Fabio Estevam <festevam@...il.com>,
        Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        linux-media@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] media: imx-jpeg: avoid array overflow

From: Arnd Bergmann <arnd@...db.de>

gcc-9 (unlike newer versions) reports a possible array overflow
in mxc_jpeg_dec_irq():

drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c: In function 'mxc_jpeg_dec_irq':
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds]
  641 |   size += q_data->sizeimage[i];
      |           ~~~~~~~~~~~~~~~~~^~~
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:28: error: array subscript 3 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Werror=array-bounds]

The compiler clearly deduces that fmt->mem_planes is at least '2' if
this code line is reached, and that fmt->comp_planes must be at least
one more for the loop to make sense. However, this does not actually
seem to be the case in the initialized values, so I would guess that
this part of the function is never reached in practice.

As a workaround, add a compile-time condition that skips any out-of-range
array indices.

Fixes: ccc9f1db9c6b ("media: imx-jpeg: Support contiguous and non contiguous format")
Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
index f085f14d676a..7a667bfc2424 100644
--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
@@ -638,7 +638,8 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no)
 
 	size = q_data->sizeimage[fmt->mem_planes - 1];
 	for (i = fmt->mem_planes; i < fmt->comp_planes; i++)
-		size += q_data->sizeimage[i];
+		if (i < MXC_JPEG_MAX_PLANES)
+			size += q_data->sizeimage[i];
 
 	return size;
 }
-- 
2.39.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ