Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 5d6de11c331d61dd27cf02f54243ebd1fcfbbfb3
commit5d6de11c331d61dd27cf02f54243ebd1fcfbbfb3[log] [tgz]
authorDan Carpenter <dan.carpenter@oracle.com>Thu Sep 18 09:23:36 2014 -0300
committerMauro Carvalho Chehab <mchehab@osg.samsung.com>Fri Sep 26 06:47:43 2014 -0300
treed75c3268671388c68d4ae20df6a884bc1200ac91
parent197a47f2d51022c613bc7bf40953a0fa3497b9c5 [diff]
[media] mx2-camera: potential negative underflow bug

My static checker complains:

	drivers/media/platform/soc_camera/mx2_camera.c:1070
	mx2_emmaprp_resize() warn: no lower bound on 'num'

The heuristic is that it's looking for values which the user can
influence and we put an upper bound on them but we (perhaps
accidentally) allow negative numbers.

I am not very familiar with this code but I have looked at it and think
there might be a bug.  Making the variable unsigned seems like a safe
option either way and this silences the static checker warning.

The call tree is:
  -> subdev_do_ioctl()
     -> mx2_camera_set_fmt()
        -> mx2_emmaprp_resize()
The check:
	if (num > RESIZE_NUM_MAX)
can underflow and then we use "num" on the else path.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
1 file changed
tree: d75c3268671388c68d4ae20df6a884bc1200ac91
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS