media: chips-media: wave5: Add range checks for dec_output_info

If the driver's dec_output_info contains invalid data the driver can
write in invalid memory. Add a range check for that.

This fixes this smatch error:
drivers/media/platform/chips-media/wave5/wave5-vpuapi.c:588 wave5_vpu_dec_get_output_info() error: buffer overflow 'inst->frame_buf' 64 <= 127

Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>

diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
index d26ffc9422190686d61a75e12c9b7b57b8018890..f77abd5e122a2d740caa451191efb591525f0d1b 100644 (file)
--- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
@@ -584,8 +584,15 @@ int wave5_vpu_dec_get_output_info(struct vpu_instance *inst, struct dec_output_i
                p_dec_info->num_of_decoding_fbs : p_dec_info->num_of_display_fbs;
 
        if (info->index_frame_display >= 0 &&
-           info->index_frame_display < (int)max_dec_index)
-               info->disp_frame = inst->frame_buf[val + info->index_frame_display];
+           info->index_frame_display < (int)max_dec_index) {
+               u32 idx = val + info->index_frame_display;
+
+               if (WARN_ON(idx >= MAX_REG_FRAME)) {
+                       ret = -EINVAL;
+                       goto err_out;
+               }
+               info->disp_frame = inst->frame_buf[idx];
+       }
 
        info->rd_ptr = p_dec_info->stream_rd_ptr;
        info->wr_ptr = p_dec_info->stream_wr_ptr;