[bug report] staging: Import the BCM2835 MMAL-based V4L2 camera driver.

Dan Carpenter dan.carpenter at oracle.com
Thu Nov 29 11:51:23 UTC 2018


Hello Eric Anholt,

The patch 7b3ad5abf027: "staging: Import the BCM2835 MMAL-based V4L2
camera driver." from Jan 27, 2017, leads to the following static
checker warning:

	drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c:1640 vchiq_mmal_component_init()
	error: buffer overflow 'component->input' 4 <= 187

drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
  1607  int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
  1608                                const char *name,
  1609                                struct vchiq_mmal_component **component_out)
  1610  {
  1611          int ret;
  1612          int idx;                /* port index */
  1613          struct vchiq_mmal_component *component;
  1614  
  1615          if (mutex_lock_interruptible(&instance->vchiq_mutex))
  1616                  return -EINTR;
  1617  
  1618          if (instance->component_idx == VCHIQ_MMAL_MAX_COMPONENTS) {
  1619                  ret = -EINVAL;  /* todo is this correct error? */
  1620                  goto unlock;
  1621          }
  1622  
  1623          component = &instance->component[instance->component_idx];
  1624  
  1625          ret = create_component(instance, component, name);
  1626          if (ret < 0)
  1627                  goto unlock;
  1628  
  1629          /* ports info needs gathering */
  1630          component->control.type = MMAL_PORT_TYPE_CONTROL;
  1631          component->control.index = 0;
  1632          component->control.component = component;
  1633          spin_lock_init(&component->control.slock);
  1634          INIT_LIST_HEAD(&component->control.buffers);
  1635          ret = port_info_get(instance, &component->control);
  1636          if (ret < 0)
  1637                  goto release_component;
  1638  
  1639          for (idx = 0; idx < component->inputs; idx++) {
                                    ^^^^^^^^^^^^^^^^^
This is set in create_component().  I have no idea why Smatch thinks
that it is 187, but it does seem like it should be capped to make sure
it's not larger than 4.

  1640                  component->input[idx].type = MMAL_PORT_TYPE_INPUT;
  1641                  component->input[idx].index = idx;
  1642                  component->input[idx].component = component;
  1643                  spin_lock_init(&component->input[idx].slock);
  1644                  INIT_LIST_HEAD(&component->input[idx].buffers);
  1645                  ret = port_info_get(instance, &component->input[idx]);
  1646                  if (ret < 0)
  1647                          goto release_component;
  1648          }

regards,
dan carpenter


More information about the devel mailing list