Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-13 Thread Hans Verkuil 
On 03/13/2017 10:32 AM, Wu, Songjun wrote:
> 
> 
> On 3/13/2017 17:25, Hans Verkuil wrote:
>> On 03/13/2017 06:53 AM, Wu, Songjun wrote:
>>>
>>>
>>> On 3/9/2017 18:57, Hans Verkuil wrote:
 Hi Songjun,

 On 08/03/17 03:25, Wu, Songjun wrote:
> Hi Colin,
>
> Thank you for your comment.
> It is a bug, will be fixed in the next patch.

 Do you mean that you will provide a new patch for this? Is there anything
 wrong with this patch? It seems reasonable to me.

>>> Hi Hans,
>>>
>>> I see this patch is merged in git://linuxtv.org/media_tree.git.
>>> So I do not need submit isc-pipeline-v3 patch, just submit the patches,
>>> based on the current master branch?
>>
>> Huh? Where do you see that this patch is merged? I don't see it in the 
>> media_tree master
>> branch.
>>
> Hi Hans,
> 
> I see this patch on the master branch in media_tree.
> https://git.linuxtv.org/media_tree.git/tree/drivers/media/platform/atmel/atmel-isc.c

???

That's a link to the source, not a patch.

And that source still does <= HIST_ENTRIES.

Still confused,

Hans

> 
>> Regards,
>>
>>  Hans
>>
>>>
 Regards,

Hans

>
> On 3/7/2017 22:30, Colin King wrote:
>> From: Colin Ian King 
>>
>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>> for-loop is iterating one too many times leasing to a read access off
>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>> the correct number of times.
>>
>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>
>> Signed-off-by: Colin Ian King 
>> ---
>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/platform/atmel/atmel-isc.c 
>> b/drivers/media/platform/atmel/atmel-isc.c
>> index b380a7d..7dacf8c 100644
>> --- a/drivers/media/platform/atmel/atmel-isc.c
>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>  regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>
>>  *hist_count = 0;
>> -for (i = 0; i <= HIST_ENTRIES; i++)
>> +for (i = 0; i < HIST_ENTRIES; i++)
>>  *hist_count += i * (*hist_entry++);
>>  }
>>
>>

>>

Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-13 Thread Wu, Songjun 



On 3/13/2017 17:25, Hans Verkuil wrote:

On 03/13/2017 06:53 AM, Wu, Songjun wrote:



On 3/9/2017 18:57, Hans Verkuil wrote:

Hi Songjun,

On 08/03/17 03:25, Wu, Songjun wrote:

Hi Colin,

Thank you for your comment.
It is a bug, will be fixed in the next patch.


Do you mean that you will provide a new patch for this? Is there anything
wrong with this patch? It seems reasonable to me.


Hi Hans,

I see this patch is merged in git://linuxtv.org/media_tree.git.
So I do not need submit isc-pipeline-v3 patch, just submit the patches,
based on the current master branch?


Huh? Where do you see that this patch is merged? I don't see it in the 
media_tree master
branch.


Hi Hans,

I see this patch on the master branch in media_tree.
https://git.linuxtv.org/media_tree.git/tree/drivers/media/platform/atmel/atmel-isc.c


Regards,

Hans




Regards,

Hans



On 3/7/2017 22:30, Colin King wrote:

From: Colin Ian King 

The are only HIST_ENTRIES worth of entries in  hist_entry however the
for-loop is iterating one too many times leasing to a read access off
the end off the array ctrls->hist_entry.  Fix this by iterating by
the correct number of times.

Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")

Signed-off-by: Colin Ian King 
---
 drivers/media/platform/atmel/atmel-isc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/atmel/atmel-isc.c 
b/drivers/media/platform/atmel/atmel-isc.c
index b380a7d..7dacf8c 100644
--- a/drivers/media/platform/atmel/atmel-isc.c
+++ b/drivers/media/platform/atmel/atmel-isc.c
@@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
 regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);

 *hist_count = 0;
-for (i = 0; i <= HIST_ENTRIES; i++)
+for (i = 0; i < HIST_ENTRIES; i++)
 *hist_count += i * (*hist_entry++);
 }

Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-13 Thread Hans Verkuil 
On 03/13/2017 06:53 AM, Wu, Songjun wrote:
> 
> 
> On 3/9/2017 18:57, Hans Verkuil wrote:
>> Hi Songjun,
>>
>> On 08/03/17 03:25, Wu, Songjun wrote:
>>> Hi Colin,
>>>
>>> Thank you for your comment.
>>> It is a bug, will be fixed in the next patch.
>>
>> Do you mean that you will provide a new patch for this? Is there anything
>> wrong with this patch? It seems reasonable to me.
>>
> Hi Hans,
> 
> I see this patch is merged in git://linuxtv.org/media_tree.git.
> So I do not need submit isc-pipeline-v3 patch, just submit the patches, 
> based on the current master branch?

Huh? Where do you see that this patch is merged? I don't see it in the 
media_tree master
branch.

Regards,

Hans

> 
>> Regards,
>>
>>  Hans
>>
>>>
>>> On 3/7/2017 22:30, Colin King wrote:
 From: Colin Ian King 

 The are only HIST_ENTRIES worth of entries in  hist_entry however the
 for-loop is iterating one too many times leasing to a read access off
 the end off the array ctrls->hist_entry.  Fix this by iterating by
 the correct number of times.

 Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")

 Signed-off-by: Colin Ian King 
 ---
  drivers/media/platform/atmel/atmel-isc.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/drivers/media/platform/atmel/atmel-isc.c 
 b/drivers/media/platform/atmel/atmel-isc.c
 index b380a7d..7dacf8c 100644
 --- a/drivers/media/platform/atmel/atmel-isc.c
 +++ b/drivers/media/platform/atmel/atmel-isc.c
 @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
  regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);

  *hist_count = 0;
 -for (i = 0; i <= HIST_ENTRIES; i++)
 +for (i = 0; i < HIST_ENTRIES; i++)
  *hist_count += i * (*hist_entry++);
  }


>>

Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-12 Thread Wu, Songjun 



On 3/9/2017 18:57, Hans Verkuil wrote:

Hi Songjun,

On 08/03/17 03:25, Wu, Songjun wrote:

Hi Colin,

Thank you for your comment.
It is a bug, will be fixed in the next patch.


Do you mean that you will provide a new patch for this? Is there anything
wrong with this patch? It seems reasonable to me.


Hi Hans,

I see this patch is merged in git://linuxtv.org/media_tree.git.
So I do not need submit isc-pipeline-v3 patch, just submit the patches, 
based on the current master branch?



Regards,

Hans



On 3/7/2017 22:30, Colin King wrote:

From: Colin Ian King 

The are only HIST_ENTRIES worth of entries in  hist_entry however the
for-loop is iterating one too many times leasing to a read access off
the end off the array ctrls->hist_entry.  Fix this by iterating by
the correct number of times.

Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")

Signed-off-by: Colin Ian King 
---
 drivers/media/platform/atmel/atmel-isc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/atmel/atmel-isc.c 
b/drivers/media/platform/atmel/atmel-isc.c
index b380a7d..7dacf8c 100644
--- a/drivers/media/platform/atmel/atmel-isc.c
+++ b/drivers/media/platform/atmel/atmel-isc.c
@@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
 regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);

 *hist_count = 0;
-for (i = 0; i <= HIST_ENTRIES; i++)
+for (i = 0; i < HIST_ENTRIES; i++)
 *hist_count += i * (*hist_entry++);
 }

Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-12 Thread Wu, Songjun 



On 3/9/2017 19:50, Colin Ian King wrote:

On 09/03/17 11:49, walter harms wrote:



Am 09.03.2017 11:57, schrieb Hans Verkuil:

Hi Songjun,

On 08/03/17 03:25, Wu, Songjun wrote:

Hi Colin,

Thank you for your comment.
It is a bug, will be fixed in the next patch.


Do you mean that you will provide a new patch for this? Is there anything
wrong with this patch? It seems reasonable to me.

Regards,

Hans





perhaps he will make it a bit more readable, like:

*hist_count += i * (*hist_entry++);

*hist_count += hist_entry[i]*i;


As long as it gets fixed somehow, then I'm happy.


You suggestion is very good, I will modify it like this.
Thank you.


Colin



re,
 wh


On 3/7/2017 22:30, Colin King wrote:

From: Colin Ian King 

The are only HIST_ENTRIES worth of entries in  hist_entry however the
for-loop is iterating one too many times leasing to a read access off
the end off the array ctrls->hist_entry.  Fix this by iterating by
the correct number of times.

Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")

Signed-off-by: Colin Ian King 
---
 drivers/media/platform/atmel/atmel-isc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/atmel/atmel-isc.c 
b/drivers/media/platform/atmel/atmel-isc.c
index b380a7d..7dacf8c 100644
--- a/drivers/media/platform/atmel/atmel-isc.c
+++ b/drivers/media/platform/atmel/atmel-isc.c
@@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
 regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);

 *hist_count = 0;
-for (i = 0; i <= HIST_ENTRIES; i++)
+for (i = 0; i < HIST_ENTRIES; i++)
 *hist_count += i * (*hist_entry++);
 }










--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-09 Thread walter harms 


Am 09.03.2017 11:57, schrieb Hans Verkuil:
> Hi Songjun,
> 
> On 08/03/17 03:25, Wu, Songjun wrote:
>> Hi Colin,
>>
>> Thank you for your comment.
>> It is a bug, will be fixed in the next patch.
> 
> Do you mean that you will provide a new patch for this? Is there anything
> wrong with this patch? It seems reasonable to me.
> 
> Regards,
> 
>   Hans
> 



perhaps he will make it a bit more readable, like:

*hist_count += i * (*hist_entry++);

*hist_count += hist_entry[i]*i;


re,
 wh
>>
>> On 3/7/2017 22:30, Colin King wrote:
>>> From: Colin Ian King 
>>>
>>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>>> for-loop is iterating one too many times leasing to a read access off
>>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>>> the correct number of times.
>>>
>>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>>
>>> Signed-off-by: Colin Ian King 
>>> ---
>>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/platform/atmel/atmel-isc.c 
>>> b/drivers/media/platform/atmel/atmel-isc.c
>>> index b380a7d..7dacf8c 100644
>>> --- a/drivers/media/platform/atmel/atmel-isc.c
>>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>>  regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>>
>>>  *hist_count = 0;
>>> -for (i = 0; i <= HIST_ENTRIES; i++)
>>> +for (i = 0; i < HIST_ENTRIES; i++)
>>>  *hist_count += i * (*hist_entry++);
>>>  }
>>>
>>>
> 




> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-09 Thread Colin Ian King 
On 09/03/17 11:49, walter harms wrote:
> 
> 
> Am 09.03.2017 11:57, schrieb Hans Verkuil:
>> Hi Songjun,
>>
>> On 08/03/17 03:25, Wu, Songjun wrote:
>>> Hi Colin,
>>>
>>> Thank you for your comment.
>>> It is a bug, will be fixed in the next patch.
>>
>> Do you mean that you will provide a new patch for this? Is there anything
>> wrong with this patch? It seems reasonable to me.
>>
>> Regards,
>>
>>  Hans
>>
> 
> 
> 
> perhaps he will make it a bit more readable, like:
> 
> *hist_count += i * (*hist_entry++);
> 
> *hist_count += hist_entry[i]*i;

As long as it gets fixed somehow, then I'm happy.

Colin
> 
> 
> re,
>  wh
>>>
>>> On 3/7/2017 22:30, Colin King wrote:
 From: Colin Ian King 

 The are only HIST_ENTRIES worth of entries in  hist_entry however the
 for-loop is iterating one too many times leasing to a read access off
 the end off the array ctrls->hist_entry.  Fix this by iterating by
 the correct number of times.

 Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")

 Signed-off-by: Colin Ian King 
 ---
  drivers/media/platform/atmel/atmel-isc.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/drivers/media/platform/atmel/atmel-isc.c 
 b/drivers/media/platform/atmel/atmel-isc.c
 index b380a7d..7dacf8c 100644
 --- a/drivers/media/platform/atmel/atmel-isc.c
 +++ b/drivers/media/platform/atmel/atmel-isc.c
 @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
  regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);

  *hist_count = 0;
 -for (i = 0; i <= HIST_ENTRIES; i++)
 +for (i = 0; i < HIST_ENTRIES; i++)
  *hist_count += i * (*hist_entry++);
  }


>>
> 
> 
> 
> 
>> --
>> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
>> the body of a message to majord...@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>

Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-09 Thread Hans Verkuil 
Hi Songjun,

On 08/03/17 03:25, Wu, Songjun wrote:
> Hi Colin,
> 
> Thank you for your comment.
> It is a bug, will be fixed in the next patch.

Do you mean that you will provide a new patch for this? Is there anything
wrong with this patch? It seems reasonable to me.

Regards,

Hans

> 
> On 3/7/2017 22:30, Colin King wrote:
>> From: Colin Ian King 
>>
>> The are only HIST_ENTRIES worth of entries in  hist_entry however the
>> for-loop is iterating one too many times leasing to a read access off
>> the end off the array ctrls->hist_entry.  Fix this by iterating by
>> the correct number of times.
>>
>> Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")
>>
>> Signed-off-by: Colin Ian King 
>> ---
>>  drivers/media/platform/atmel/atmel-isc.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/platform/atmel/atmel-isc.c 
>> b/drivers/media/platform/atmel/atmel-isc.c
>> index b380a7d..7dacf8c 100644
>> --- a/drivers/media/platform/atmel/atmel-isc.c
>> +++ b/drivers/media/platform/atmel/atmel-isc.c
>> @@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
>>  regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
>>
>>  *hist_count = 0;
>> -for (i = 0; i <= HIST_ENTRIES; i++)
>> +for (i = 0; i < HIST_ENTRIES; i++)
>>  *hist_count += i * (*hist_entry++);
>>  }
>>
>>

Re: [PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-07 Thread Wu, Songjun 

Hi Colin,

Thank you for your comment.
It is a bug, will be fixed in the next patch.

On 3/7/2017 22:30, Colin King wrote:

From: Colin Ian King 

The are only HIST_ENTRIES worth of entries in  hist_entry however the
for-loop is iterating one too many times leasing to a read access off
the end off the array ctrls->hist_entry.  Fix this by iterating by
the correct number of times.

Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")

Signed-off-by: Colin Ian King 
---
 drivers/media/platform/atmel/atmel-isc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/atmel/atmel-isc.c 
b/drivers/media/platform/atmel/atmel-isc.c
index b380a7d..7dacf8c 100644
--- a/drivers/media/platform/atmel/atmel-isc.c
+++ b/drivers/media/platform/atmel/atmel-isc.c
@@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);

*hist_count = 0;
-   for (i = 0; i <= HIST_ENTRIES; i++)
+   for (i = 0; i < HIST_ENTRIES; i++)
*hist_count += i * (*hist_entry++);
 }

[PATCH] [media] atmel-isc: fix off-by-one comparison and out of bounds read issue

2017-03-07 Thread Colin King 
From: Colin Ian King 

The are only HIST_ENTRIES worth of entries in  hist_entry however the
for-loop is iterating one too many times leasing to a read access off
the end off the array ctrls->hist_entry.  Fix this by iterating by
the correct number of times.

Detected by CoverityScan, CID#1415279 ("Out-of-bounds read")

Signed-off-by: Colin Ian King 
---
 drivers/media/platform/atmel/atmel-isc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/atmel/atmel-isc.c 
b/drivers/media/platform/atmel/atmel-isc.c
index b380a7d..7dacf8c 100644
--- a/drivers/media/platform/atmel/atmel-isc.c
+++ b/drivers/media/platform/atmel/atmel-isc.c
@@ -1298,7 +1298,7 @@ static void isc_hist_count(struct isc_device *isc)
regmap_bulk_read(regmap, ISC_HIS_ENTRY, hist_entry, HIST_ENTRIES);
 
*hist_count = 0;
-   for (i = 0; i <= HIST_ENTRIES; i++)
+   for (i = 0; i < HIST_ENTRIES; i++)
*hist_count += i * (*hist_entry++);
 }
 
-- 
2.10.2