From: Dan Carpenter Date: Wed, 19 Jul 2017 09:55:47 +0000 (-0400) Subject: media: atomisp2: Array underflow in atomisp_enum_input() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=7b065c554ca55fbc96eced98c7cec0f442ab018a;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git media: atomisp2: Array underflow in atomisp_enum_input() The problem here is this code from atomisp_enum_input(): 581 int index = input->index; 582 583 if (index >= isp->input_cnt) 584 return -EINVAL; 585 586 if (!isp->inputs[index].camera) 587 return -EINVAL; "input->index" is a u32 which comes from the ioctl. We want negative values of "index" to be counted as -EINVAL but they aren't. I've fixed this by changing the type of "isp->input_cnt" to unsigned int. Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") Signed-off-by: Dan Carpenter Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h index d3667132851b..c8e0c4fe3717 100644 --- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h +++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h @@ -275,7 +275,7 @@ struct atomisp_device { */ struct mutex streamoff_mutex; - int input_cnt; + unsigned int input_cnt; struct atomisp_input_subdev inputs[ATOM_ISP_MAX_INPUTS]; struct v4l2_subdev *flash; struct v4l2_subdev *motor;