[PATCH 11/11] media: atomisp: fix size of delay_frames array

Mauro Carvalho Chehab Sun, 24 May 2020 23:56:31 -0700

Right now, the variables that define the max number of
delay frames is defined as:


        #define VIDEO_FRAME_DELAY               2
        #define MAX_NUM_VIDEO_DELAY_FRAMES      (VIDEO_FRAME_DELAY + 1)
        #define NUM_PREVIEW_DVS_FRAMES          (2)
        #define MAX_NUM_DELAY_FRAMES   MAX(MAX_NUM_VIDEO_DELAY_FRAMES, 
NUM_PREVIEW_DVS_FRAMES)

In other words, we have:
        MAX_NUM_VIDEO_DELAY_FRAMES = 3
        MAX_NUM_DELAY_FRAMES = 2

The MAX_NUM_DELAY_FRAMES macro is used only only when allocating
memory. On all other parts, including looping over such array,
MAX_NUM_VIDEO_DELAY_FRAMES is used instead, like:

        void sh_css_binary_args_reset(struct sh_css_binary_args *args)
        {
                unsigned int i;
        ...

                for (i = 0; i < MAX_NUM_VIDEO_DELAY_FRAMES; i++)
                        args->delay_frames[i] = NULL;

Which will cause buffer overflows, with may override the next array
(tnr_frames[]).

In practice, this may not be causing real issues, as the code
checks for num_delay_frames on some parts (but not everywhere).

So, get rid of the smallest value.

Signed-off-by: Mauro Carvalho Chehab <mchehab+hua...@kernel.org>
---
 drivers/staging/media/atomisp/pci/ia_css_pipe.h | 2 +-
 drivers/staging/media/atomisp/pci/sh_css_defs.h | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/staging/media/atomisp/pci/ia_css_pipe.h 
b/drivers/staging/media/atomisp/pci/ia_css_pipe.h
index 91653952f1a7..9c9e1264feb0 100644
--- a/drivers/staging/media/atomisp/pci/ia_css_pipe.h
+++ b/drivers/staging/media/atomisp/pci/ia_css_pipe.h
@@ -31,7 +31,7 @@ struct ia_css_preview_settings {
        struct ia_css_binary vf_pp_binary;
 
        /* 2401 only for these two - do we in fact use them for anything real */
-       struct ia_css_frame *delay_frames[MAX_NUM_DELAY_FRAMES];
+       struct ia_css_frame *delay_frames[MAX_NUM_VIDEO_DELAY_FRAMES];
        struct ia_css_frame *tnr_frames[NUM_TNR_FRAMES];
 
        struct ia_css_pipe *copy_pipe;
diff --git a/drivers/staging/media/atomisp/pci/sh_css_defs.h 
b/drivers/staging/media/atomisp/pci/sh_css_defs.h
index fcd5081edf82..d444af82c309 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_defs.h
+++ b/drivers/staging/media/atomisp/pci/sh_css_defs.h
@@ -225,8 +225,6 @@ RGB[0,8191],coef[-8192,8191] -> RGB[0,8191]
 
 #define NUM_VIDEO_TNR_FRAMES           2
 
-#define MAX_NUM_DELAY_FRAMES   MAX(MAX_NUM_VIDEO_DELAY_FRAMES, 
NUM_PREVIEW_DVS_FRAMES)
-
 /* Note that this is the define used to configure all data structures common 
for all modes */
 /* It should be equal or bigger to the max number of DVS frames for all 
possible modes */
 /* Rules: these implement logic shared between the host code and ISP firmware.
-- 
2.26.2

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH 11/11] media: atomisp: fix size of delay_frames array

Reply via email to