diff options
| author | Mauro Carvalho Chehab <mchehab+huawei@kernel.org> | 2020-05-24 09:11:07 +0200 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab+huawei@kernel.org> | 2020-06-11 18:02:30 +0200 |
| commit | d573933c80bd0fe32beb4fba93b965b1fe82411a (patch) | |
| tree | a8542d7df205c98aed9370705d90e7d306bdb6ba | |
| parent | f611797795f2d19e565f38c20516427596a0f27f (diff) | |
| download | linux-d573933c80bd0fe32beb4fba93b965b1fe82411a.tar.gz | |
media: atomisp: fix size of delay_frames array
Right now, the variables that define the max number of
delay frames is defined as:
#define VIDEO_FRAME_DELAY 2
#define MAX_NUM_VIDEO_DELAY_FRAMES (VIDEO_FRAME_DELAY + 1)
#define NUM_PREVIEW_DVS_FRAMES (2)
#define MAX_NUM_DELAY_FRAMES MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES)
In other words, we have:
MAX_NUM_VIDEO_DELAY_FRAMES = 3
MAX_NUM_DELAY_FRAMES = 2
The MAX_NUM_DELAY_FRAMES macro is used only only when allocating
memory. On all other parts, including looping over such array,
MAX_NUM_VIDEO_DELAY_FRAMES is used instead, like:
void sh_css_binary_args_reset(struct sh_css_binary_args *args)
{
unsigned int i;
...
for (i = 0; i < MAX_NUM_VIDEO_DELAY_FRAMES; i++)
args->delay_frames[i] = NULL;
Which will cause buffer overflows, with may override the next array
(tnr_frames[]).
In practice, this may not be causing real issues, as the code
checks for num_delay_frames on some parts (but not everywhere).
So, get rid of the smallest value.
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
| -rw-r--r-- | drivers/staging/media/atomisp/pci/ia_css_pipe.h | 2 | ||||
| -rw-r--r-- | drivers/staging/media/atomisp/pci/sh_css_defs.h | 2 |
2 files changed, 1 insertions, 3 deletions
diff --git a/drivers/staging/media/atomisp/pci/ia_css_pipe.h b/drivers/staging/media/atomisp/pci/ia_css_pipe.h index 91653952f1a76f..9c9e1264feb07f 100644 --- a/drivers/staging/media/atomisp/pci/ia_css_pipe.h +++ b/drivers/staging/media/atomisp/pci/ia_css_pipe.h @@ -31,7 +31,7 @@ struct ia_css_preview_settings { struct ia_css_binary vf_pp_binary; /* 2401 only for these two - do we in fact use them for anything real */ - struct ia_css_frame *delay_frames[MAX_NUM_DELAY_FRAMES]; + struct ia_css_frame *delay_frames[MAX_NUM_VIDEO_DELAY_FRAMES]; struct ia_css_frame *tnr_frames[NUM_TNR_FRAMES]; struct ia_css_pipe *copy_pipe; diff --git a/drivers/staging/media/atomisp/pci/sh_css_defs.h b/drivers/staging/media/atomisp/pci/sh_css_defs.h index fcd5081edf82f0..d444af82c309d9 100644 --- a/drivers/staging/media/atomisp/pci/sh_css_defs.h +++ b/drivers/staging/media/atomisp/pci/sh_css_defs.h @@ -225,8 +225,6 @@ RGB[0,8191],coef[-8192,8191] -> RGB[0,8191] #define NUM_VIDEO_TNR_FRAMES 2 -#define MAX_NUM_DELAY_FRAMES MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES) - /* Note that this is the define used to configure all data structures common for all modes */ /* It should be equal or bigger to the max number of DVS frames for all possible modes */ /* Rules: these implement logic shared between the host code and ISP firmware. |