This is an automated email from the ASF dual-hosted git repository. jerpelea pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit bac0228825ee93af86b66ee1d69081f54b248d4c Author: SPRESENSE <41312067+sprese...@users.noreply.github.com> AuthorDate: Tue Dec 19 15:25:59 2023 +0900 drivers/video/isx012: Fix buffer overrun of isx012_putreg() The maximum size of ISX012 register is 4 bytes. So, extend temporary buffer size. Detected by CodeSonar 141893 --- drivers/video/isx012.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/video/isx012.c b/drivers/video/isx012.c index 5c4b69bb90..d612a689c7 100644 --- a/drivers/video/isx012.c +++ b/drivers/video/isx012.c @@ -216,7 +216,7 @@ typedef struct isx012_dev_s isx012_dev_t; static uint16_t isx012_getreg(FAR isx012_dev_t *priv, uint16_t regaddr, uint16_t regsize); static int isx012_putreg(FAR isx012_dev_t *priv, uint16_t regaddr, - uint16_t regval, uint16_t regsize); + uint32_t regval, uint16_t regsize); static int isx012_putreglist(FAR isx012_dev_t *priv, FAR const isx012_reg_t *reglist, size_t nentries); #ifdef ISX012_CHECK_IN_DETAIL @@ -676,8 +676,8 @@ static uint16_t isx012_getreg(FAR isx012_dev_t *priv, uint16_t regaddr, uint16_t regsize) { struct i2c_config_s config; - volatile uint16_t regval = 0; - volatile uint8_t buffer[2]; + uint16_t regval = 0; + uint8_t buffer[2]; int ret; /* Set up the I2C configuration */ @@ -719,12 +719,14 @@ static uint16_t isx012_getreg(FAR isx012_dev_t *priv, } static int isx012_putreg(FAR isx012_dev_t *priv, - uint16_t regaddr, uint16_t regval, uint16_t regsize) + uint16_t regaddr, uint32_t regval, uint16_t regsize) { struct i2c_config_s config; - volatile uint8_t buffer[4]; + uint8_t buffer[6]; int ret; + DEBUGASSERT(regsize <= 4); + /* Set up the I2C configuration */ config.frequency = priv->i2c_freq; @@ -779,7 +781,7 @@ static int isx012_chk_int_state(FAR isx012_dev_t *priv, uint32_t wait_time, uint32_t timeout) { int ret = 0; - volatile uint8_t data; + uint8_t data; uint32_t time = 0; nxsig_usleep(delay_time * 1000);