From 87c34f91f353d450dc43607370755076053e67f0 Mon Sep 17 00:00:00 2001 From: Liu Ying Date: Mon, 18 Apr 2016 10:12:39 +0800 Subject: [PATCH] MLK-12670 mxc IPUv3: common: Fix overrun array ->sec_chan_en and ->thrd_chan_en We've got more than 24 channels defined in ipu_channel_t, which causes potential overrun on array ipu->sec_chan_en and ipu->thrd_chan_en. This patch enlarges the array size to IPU_MAX_CH(32) to fix this issue. This issue is reported by Coverity: Out-of-bounds read (OVERRUN) overrun-local: Overrunning array ipu->sec_chan_en of 24 bytes at byte offset 25 using index channel >> 24 (which evaluates to 25). if ((ipu->sec_chan_en[IPU_CHAN_ID(channel)]) && ((channel == MEM_PP_MEM) || (channel == MEM_PRP_VF_MEM) || (channel == MEM_VDI_PRP_VF_MEM))) { Out-of-bounds read (OVERRUN) overrun-local: Overrunning array ipu->thrd_chan_en of 24 bytes at byte offset 25 using index channel >> 24 (which evaluates to 25). if ((ipu->thrd_chan_en[IPU_CHAN_ID(channel)]) && ((channel == MEM_PP_MEM) || (channel == MEM_PRP_VF_MEM))) { thrd_dma = channel_2_dma(channel, IPU_ALPHA_IN_BUFFER); Signed-off-by: Liu Ying --- drivers/mxc/ipu3/ipu_prv.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/mxc/ipu3/ipu_prv.h b/drivers/mxc/ipu3/ipu_prv.h index 025a7bd59ec6..0a21d922c127 100644 --- a/drivers/mxc/ipu3/ipu_prv.h +++ b/drivers/mxc/ipu3/ipu_prv.h @@ -1,5 +1,5 @@ /* - * Copyright 2005-2015 Freescale Semiconductor, Inc. All Rights Reserved. + * Copyright 2005-2016 Freescale Semiconductor, Inc. All Rights Reserved. */ /* @@ -17,6 +17,7 @@ #include #include #include +#include #include #define MXC_IPU_MAX_NUM 2 @@ -93,8 +94,8 @@ struct ipu_soc { ipu_channel_t csi_channel[2]; ipu_channel_t using_ic_dirct_ch; unsigned char dc_di_assignment[10]; - bool sec_chan_en[24]; - bool thrd_chan_en[24]; + bool sec_chan_en[IPU_MAX_CH]; + bool thrd_chan_en[IPU_MAX_CH]; bool chan_is_interlaced[52]; uint32_t channel_init_mask; uint32_t channel_enable_mask; -- 2.17.1