media: i2c: adv7604: Add range checks for chip info

If the driver's chip information is invalid we can end up accessing an
invalid memory region.

This fixes the following false positive smatch errors:
drivers/media/i2c/adv7604.c:3672 adv76xx_probe() error: buffer overflow 'state->pads' 7 <= 4294967294
drivers/media/i2c/adv7604.c:3673 adv76xx_probe() error: buffer overflow 'state->pads' 7 <= u32max

Reviewed-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>

diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
index 67116a4ef134ed2093b3e29ad65abb08139b06a1..ae75982fb514514ce684554cff739cbdd4072c72 100644 (file)
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -3668,6 +3668,12 @@ static int adv76xx_probe(struct i2c_client *client)
 
        state->source_pad = state->info->num_dv_ports
                          + (state->info->has_afe ? 2 : 0);
+       if (WARN_ON(state->source_pad >= ADV76XX_PAD_MAX)) {
+               err = -EINVAL;
+               v4l2_err(sd, "invalid chip info\n");
+               goto err_i2c;
+       }
+
        for (i = 0; i < state->source_pad; ++i)
                state->pads[i].flags = MEDIA_PAD_FL_SINK;
        state->pads[state->source_pad].flags = MEDIA_PAD_FL_SOURCE;