Re: [PATCH] [media] s3c-camif: array underflow in __camif_subdev_try_format()

On Wed, Jan 24, 2018 at 9:13 AM, Dan Carpenter wrote: > On Mon, Jan 22, 2018 at 09:50:04PM +0100, Sylwester Nawrocki wrote: >> On 01/22/2018 11:37 AM, Dan Carpenter wrote: > I happened to be looking at the same bugs but using Smatch. Did you get > these two bugs as

Re: [PATCH] [media] s3c-camif: array underflow in __camif_subdev_try_format()

On Mon, Jan 22, 2018 at 09:50:04PM +0100, Sylwester Nawrocki wrote: > On 01/22/2018 11:37 AM, Dan Carpenter wrote: > > --- a/drivers/media/platform/s3c-camif/camif-capture.c > > +++ b/drivers/media/platform/s3c-camif/camif-capture.c > > @@ -1261,11 +1261,11 @@ static void

Re: [PATCH] [media] s3c-camif: array underflow in __camif_subdev_try_format()

On 01/22/2018 11:37 AM, Dan Carpenter wrote: > The while loop is a post op, "while (i-- >= 0)" so the last iteration > will read camif_mbus_formats[-1] and then the loop will exit with "i" > set to -2 and so we do: "mf->code = camif_mbus_formats[-2];". > > I've changed it to a pre-op, I've added

[PATCH] [media] s3c-camif: array underflow in __camif_subdev_try_format()

The while loop is a post op, "while (i-- >= 0)" so the last iteration will read camif_mbus_formats[-1] and then the loop will exit with "i" set to -2 and so we do: "mf->code = camif_mbus_formats[-2];". I've changed it to a pre-op, I've added a check to ensure we found the right format and I've