[PATCH] media: v4l2-fwnode: don't risk go out of array bounds

Mon, 26 Jun 2017 04:59:30 -0700 

As warned by gcc:
        drivers/media/v4l2-core/v4l2-fwnode.c:76 
v4l2_fwnode_endpoint_parse_csi_bus() error: buffer overflow 'array' 5 <= u16max

That's because, in thesis, the routine might have called with
some value at bus->num_data_lanes.

While this doesn't happen, in practice, some code change could
cause crashes, so, better to fix it.

Signed-off-by: Mauro Carvalho Chehab <mche...@s-opensource.com>
---
 drivers/media/v4l2-core/v4l2-fwnode.c | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/drivers/media/v4l2-core/v4l2-fwnode.c 
b/drivers/media/v4l2-core/v4l2-fwnode.c
index 153c53ca3925..7232c78b1880 100644
--- a/drivers/media/v4l2-core/v4l2-fwnode.c
+++ b/drivers/media/v4l2-core/v4l2-fwnode.c
@@ -38,6 +38,8 @@ static int v4l2_fwnode_endpoint_parse_csi_bus(struct 
fwnode_handle *fwnode,
        u32 v;
        int rval;
 
+       bus->num_data_lanes = 0;
+
        rval = fwnode_property_read_u32_array(fwnode, "data-lanes", NULL, 0);
        if (rval > 0) {
                u32 array[ARRAY_SIZE(bus->data_lanes)];
@@ -56,24 +58,26 @@ static int v4l2_fwnode_endpoint_parse_csi_bus(struct 
fwnode_handle *fwnode,
 
                        bus->data_lanes[i] = array[i];
                }
-       }
 
-       rval = fwnode_property_read_u32_array(fwnode, "lane-polarities", NULL,
-                                             0);
-       if (rval > 0) {
-               u32 array[ARRAY_SIZE(bus->lane_polarities)];
+               rval = fwnode_property_read_u32_array(fwnode,
+                                                     "lane-polarities",
+                                                     NULL, 0);
+               if (rval > 0) {
+                       u32 array[ARRAY_SIZE(bus->lane_polarities)];
 
-               if (rval < 1 + bus->num_data_lanes /* clock + data */) {
-                       pr_warn("too few lane-polarities entries (need %u, got 
%u)\n",
-                               1 + bus->num_data_lanes, rval);
-                       return -EINVAL;
+                       if (rval < 1 + bus->num_data_lanes /* clock + data */) {
+                               pr_warn("too few lane-polarities entries (need 
%u, got %u)\n",
+                                       1 + bus->num_data_lanes, rval);
+                               return -EINVAL;
+                       }
+
+                       fwnode_property_read_u32_array(fwnode,
+                                                      "lane-polarities", array,
+                                                      1 + bus->num_data_lanes);
+
+                       for (i = 0; i < 1 + bus->num_data_lanes; i++)
+                               bus->lane_polarities[i] = array[i];
                }
-
-               fwnode_property_read_u32_array(fwnode, "lane-polarities", array,
-                                              1 + bus->num_data_lanes);
-
-               for (i = 0; i < 1 + bus->num_data_lanes; i++)
-                       bus->lane_polarities[i] = array[i];
        }
 
        if (!fwnode_property_read_u32(fwnode, "clock-lanes", &v)) {
-- 
2.9.4

Reply via email to