media: atomisp: fix size of delay_frames array

Right now, the variables that define the max number of
delay frames is defined as:

	#define VIDEO_FRAME_DELAY		2
	#define MAX_NUM_VIDEO_DELAY_FRAMES	(VIDEO_FRAME_DELAY + 1)
	#define NUM_PREVIEW_DVS_FRAMES          (2)
	#define MAX_NUM_DELAY_FRAMES   MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES)

In other words, we have:
	MAX_NUM_VIDEO_DELAY_FRAMES = 3
	MAX_NUM_DELAY_FRAMES = 2

The MAX_NUM_DELAY_FRAMES macro is used only only when allocating
memory. On all other parts, including looping over such array,
MAX_NUM_VIDEO_DELAY_FRAMES is used instead, like:

	void sh_css_binary_args_reset(struct sh_css_binary_args *args)
	{
		unsigned int i;
	...

		for (i = 0; i < MAX_NUM_VIDEO_DELAY_FRAMES; i++)
			args->delay_frames[i] = NULL;

Which will cause buffer overflows, with may override the next array
(tnr_frames[]).

In practice, this may not be causing real issues, as the code
checks for num_delay_frames on some parts (but not everywhere).

So, get rid of the smallest value.

Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
This commit is contained in:
Mauro Carvalho Chehab 2020-05-24 09:11:07 +02:00
parent f611797795
commit d573933c80
2 changed files with 1 additions and 3 deletions
drivers/staging/media/atomisp/pci

View File

@ -31,7 +31,7 @@ struct ia_css_preview_settings {
struct ia_css_binary vf_pp_binary; struct ia_css_binary vf_pp_binary;
/* 2401 only for these two - do we in fact use them for anything real */ /* 2401 only for these two - do we in fact use them for anything real */
struct ia_css_frame *delay_frames[MAX_NUM_DELAY_FRAMES]; struct ia_css_frame *delay_frames[MAX_NUM_VIDEO_DELAY_FRAMES];
struct ia_css_frame *tnr_frames[NUM_TNR_FRAMES]; struct ia_css_frame *tnr_frames[NUM_TNR_FRAMES];
struct ia_css_pipe *copy_pipe; struct ia_css_pipe *copy_pipe;

View File

@ -225,8 +225,6 @@ RGB[0,8191],coef[-8192,8191] -> RGB[0,8191]
#define NUM_VIDEO_TNR_FRAMES 2 #define NUM_VIDEO_TNR_FRAMES 2
#define MAX_NUM_DELAY_FRAMES MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES)
/* Note that this is the define used to configure all data structures common for all modes */ /* Note that this is the define used to configure all data structures common for all modes */
/* It should be equal or bigger to the max number of DVS frames for all possible modes */ /* It should be equal or bigger to the max number of DVS frames for all possible modes */
/* Rules: these implement logic shared between the host code and ISP firmware. /* Rules: these implement logic shared between the host code and ISP firmware.