media: atomisp: fix size of delay_frames array

Right now, the variables that define the max number of delay frames is defined as: #define VIDEO_FRAME_DELAY 2 #define MAX_NUM_VIDEO_DELAY_FRAMES (VIDEO_FRAME_DELAY + 1) #define NUM_PREVIEW_DVS_FRAMES (2) #define MAX_NUM_DELAY_FRAMES MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES) In other words, we have: MAX_NUM_VIDEO_DELAY_FRAMES = 3 MAX_NUM_DELAY_FRAMES = 2 The MAX_NUM_DELAY_FRAMES macro is used only only when allocating memory. On all other parts, including looping over such array, MAX_NUM_VIDEO_DELAY_FRAMES is used instead, like: void sh_css_binary_args_reset(struct sh_css_binary_args *args) { unsigned int i; ... for (i = 0; i < MAX_NUM_VIDEO_DELAY_FRAMES; i++) args->delay_frames[i] = NULL; Which will cause buffer overflows, with may override the next array (tnr_frames[]). In practice, this may not be causing real issues, as the code checks for num_delay_frames on some parts (but not everywhere). So, get rid of the smallest value. Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

media: atomisp: fix size of delay_frames array
Right now, the variables that define the max number of delay frames is defined as: #define VIDEO_FRAME_DELAY 2 #define MAX_NUM_VIDEO_DELAY_FRAMES (VIDEO_FRAME_DELAY + 1) #define NUM_PREVIEW_DVS_FRAMES (2) #define MAX_NUM_DELAY_FRAMES MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES) In other words, we have: MAX_NUM_VIDEO_DELAY_FRAMES = 3 MAX_NUM_DELAY_FRAMES = 2 The MAX_NUM_DELAY_FRAMES macro is used only only when allocating memory. On all other parts, including looping over such array, MAX_NUM_VIDEO_DELAY_FRAMES is used instead, like: void sh_css_binary_args_reset(struct sh_css_binary_args *args) { unsigned int i; ... for (i = 0; i < MAX_NUM_VIDEO_DELAY_FRAMES; i++) args->delay_frames[i] = NULL; Which will cause buffer overflows, with may override the next array (tnr_frames[]). In practice, this may not be causing real issues, as the code checks for num_delay_frames on some parts (but not everywhere). So, get rid of the smallest value. Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
d573933c · Mauro Carvalho Chehab · f6117977 · d573933c · d573933c
Commit d573933c authored May 24, 2020 by Mauro Carvalho Chehab
Showing with 1 addition and 3 deletions

drivers/staging/media/atomisp/pci/ia_css_pipe.h drivers/staging/media/atomisp/pci/ia_css_pipe.h +1 -1

drivers/staging/media/atomisp/pci/sh_css_defs.h drivers/staging/media/atomisp/pci/sh_css_defs.h +0 -2

No files found.
--- a/drivers/staging/media/atomisp/pci/ia_css_pipe.h
+++ b/drivers/staging/media/atomisp/pci/ia_css_pipe.h
@@ -31,7 +31,7 @@ struct ia_css_preview_settings {
 	struct ia_css_binary vf_pp_binary;

 	/* 2401 only for these two - do we in fact use them for anything real */
-	struct ia_css_frame *delay_frames[MAX_NUM_DELAY_FRAMES];
+	struct ia_css_frame *delay_frames[MAX_NUM_VIDEO_DELAY_FRAMES];
 	struct ia_css_frame *tnr_frames[NUM_TNR_FRAMES];

 	struct ia_css_pipe *copy_pipe;

--- a/drivers/staging/media/atomisp/pci/sh_css_defs.h
+++ b/drivers/staging/media/atomisp/pci/sh_css_defs.h
@@ -225,8 +225,6 @@ RGB[0,8191],coef[-8192,8191] -> RGB[0,8191]

 #define NUM_VIDEO_TNR_FRAMES		2

-#define MAX_NUM_DELAY_FRAMES	MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES)
-
 /* Note that this is the define used to configure all data structures common for all modes */
 /* It should be equal or bigger to the max number of DVS frames for all possible modes */
 /* Rules: these implement logic shared between the host code and ISP firmware.