--- /dev/null
+From 576a307a7650bd544fbb24df801b9b7863b85e2f Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 12:14:11 +0200
+Subject: media: cx24116: prevent overflows on SNR calculus
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream.
+
+as reported by Coverity, if reading SNR registers fail, a negative
+number will be returned, causing an underflow when reading SNR
+registers.
+
+Prevent that.
+
+Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/cx24116.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/cx24116.c
++++ b/drivers/media/dvb-frontends/cx24116.c
+@@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct d
+ {
+ struct cx24116_state *state = fe->demodulator_priv;
+ u8 snr_reading;
++ int ret;
+ static const u32 snr_tab[] = { /* 10 x Table (rounded up) */
+ 0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667,
+ 0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667,
+@@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct d
+
+ dprintk("%s()\n", __func__);
+
+- snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0);
++ ret = cx24116_readreg(state, CX24116_REG_QUALITY0);
++ if (ret < 0)
++ return ret;
++
++ snr_reading = ret;
+
+ if (snr_reading >= 0xa0 /* 100% */)
+ *snr = 0xffff;
--- /dev/null
+From 14a22762c3daeac59a5a534e124acbb4d7a79b3a Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 11:10:31 +0200
+Subject: media: s5p-jpeg: prevent buffer overflows
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream.
+
+The current logic allows word to be less than 2. If this happens,
+there will be buffer overflows, as reported by smatch. Add extra
+checks to prevent it.
+
+While here, remove an unused word = 0 assignment.
+
+Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s5p-jpeg/jpeg-core.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
+@@ -774,11 +774,14 @@ static void exynos4_jpeg_parse_decode_h_
+ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
+ jpeg_buffer.curr = 0;
+
+- word = 0;
+-
+ if (get_word_be(&jpeg_buffer, &word))
+ return;
+- jpeg_buffer.size = (long)word - 2;
++
++ if (word < 2)
++ jpeg_buffer.size = 0;
++ else
++ jpeg_buffer.size = (long)word - 2;
++
+ jpeg_buffer.data += 2;
+ jpeg_buffer.curr = 0;
+
+@@ -1057,6 +1060,7 @@ static int get_word_be(struct s5p_jpeg_b
+ if (byte == -1)
+ return -1;
+ *word = (unsigned int)byte | temp;
++
+ return 0;
+ }
+
+@@ -1144,7 +1148,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ if (get_word_be(&jpeg_buffer, &word))
+ break;
+ length = (long)word - 2;
+- if (!length)
++ if (length <= 0)
+ return false;
+ sof = jpeg_buffer.curr; /* after 0xffc0 */
+ sof_len = length;
+@@ -1175,7 +1179,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ if (get_word_be(&jpeg_buffer, &word))
+ break;
+ length = (long)word - 2;
+- if (!length)
++ if (length <= 0)
+ return false;
+ if (n_dqt >= S5P_JPEG_MAX_MARKER)
+ return false;
+@@ -1188,7 +1192,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ if (get_word_be(&jpeg_buffer, &word))
+ break;
+ length = (long)word - 2;
+- if (!length)
++ if (length <= 0)
+ return false;
+ if (n_dht >= S5P_JPEG_MAX_MARKER)
+ return false;
+@@ -1213,6 +1217,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ if (get_word_be(&jpeg_buffer, &word))
+ break;
+ length = (long)word - 2;
++ /* No need to check underflows as skip() does it */
+ skip(&jpeg_buffer, length);
+ break;
+ }
--- /dev/null
+From e6a3ea83fbe15d4818d01804e904cbb0e64e543b Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Wed, 16 Oct 2024 11:53:15 +0200
+Subject: media: v4l2-tpg: prevent the risk of a division by zero
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream.
+
+As reported by Coverity, the logic at tpg_precalculate_line()
+blindly rescales the buffer even when scaled_witdh is equal to
+zero. If this ever happens, this will cause a division by zero.
+
+Instead, add a WARN_ON_ONCE() to trigger such cases and return
+without doing any precalculation.
+
+Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -1789,6 +1789,9 @@ static void tpg_precalculate_line(struct
+ unsigned p;
+ unsigned x;
+
++ if (WARN_ON_ONCE(!tpg->src_width || !tpg->scaled_width))
++ return;
++
+ switch (tpg->pattern) {
+ case TPG_PAT_GREEN:
+ contrast = TPG_COLOR_100_RED;
media-dvb_frontend-don-t-play-tricks-with-underflow-.patch
media-adv7604-prevent-underflow-condition-when-repor.patch
alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch
+media-s5p-jpeg-prevent-buffer-overflows.patch
+media-cx24116-prevent-overflows-on-snr-calculus.patch
+media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
