From: Philipp Zabel <p.zabel@pengutronix.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-media@vger.kernel.org
Subject: Re: [bug report] media: coda: jpeg: add CODA960 JPEG encoder support
Date: Fri, 23 Apr 2021 14:51:57 +0200 [thread overview]
Message-ID: <9298701d11e591e23b7438d9ed027a56f129a0f1.camel@pengutronix.de> (raw)
In-Reply-To: <YIKzER9cE+h0kI2l@mwanda>
Hi Dan,
On Fri, 2021-04-23 at 14:44 +0300, Dan Carpenter wrote:
> Hello Philipp Zabel,
>
> The patch 96f6f62c4656: "media: coda: jpeg: add CODA960 JPEG encoder
> support" from Dec 12, 2019, leads to the following static checker
> warning:
>
> drivers/media/platform/coda/coda-jpeg.c:621 coda9_jpeg_gen_enc_huff_tab()
> warn: check that incremented offset 'k' is capped
Thank you for the report!
> drivers/media/platform/coda/coda-jpeg.c
> 582 static int coda9_jpeg_gen_enc_huff_tab(struct coda_ctx *ctx, int tab_num,
> 583 int *ehufsi, int *ehufco)
> 584 {
> 585 int i, j, k, lastk, si, code, maxsymbol;
> 586 const u8 *bits, *huffval;
> 587 struct {
> 588 int size[256];
> 589 int code[256];
> 590 } *huff;
> 591 static const unsigned char *huff_tabs[4] = {
> 592 luma_dc, luma_ac, chroma_dc, chroma_ac,
> 593 };
> 594 int ret = -EINVAL;
> 595
> 596 huff = kzalloc(sizeof(*huff), GFP_KERNEL);
>
> huff->size[] is a 256 byte array of zero.
int, not byte. It's does contain all zeros though, as does the following
huff->code[].
> 597 if (!huff)
> 598 return -ENOMEM;
> 599
> 600 bits = huff_tabs[tab_num];
> 601 huffval = huff_tabs[tab_num] + 16;
> 602
> 603 maxsymbol = tab_num & 1 ? 256 : 16;
> 604
> 605 /* Figure C.1 - Generation of table of Huffman code sizes */
> 606 k = 0;
> 607 for (i = 1; i <= 16; i++) {
> 608 j = bits[i - 1];
> 609 if (k + j > maxsymbol)
> 610 goto out;
> 611 while (j--)
> 612 huff->size[k++] = i;
> ^^^^^^^^^^^^^^^^^^^
> We're filling potentially up to to maxsymbol (256) with i.
That is correct. Assuming the sum of bits[0..15] is exactly 256, this
code will fill all 256 size[] entries.
In practice the four bits tables from huff_tabs only sum up to 162 at
most, but this may change if we added support for setting the encoder
Huffman tables from userspace.
> 613 }
> 614 lastk = k;
> 615
> 616 /* Figure C.2 - Generation of table of Huffman codes */
> 617 k = 0;
> 618 code = 0;
> 619 si = huff->size[0];
> 620 while (k < lastk) {
> 621 while (huff->size[k] == si) {
> ^^^^^^^^^^^^^^^^^^^
> I'm not sure I have understood this code, but I think maybe we do need
> to if (k < lastk && huff->size[k] == si) {
So this could indeed overflow size[] in theory.
It would still terminate at &size[256] or &code[0], as code[0] happens
to always contain 0, but your suggestion is correct.
> 622 huff->code[k++] = code;
> 623 code++;
> 624 }
> 625 if (code >= (1 << si))
> 626 goto out;
> 627 code <<= 1;
> 628 si++;
> 629 }
regards
Philipp
next prev parent reply other threads:[~2021-04-23 12:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-23 11:44 [bug report] media: coda: jpeg: add CODA960 JPEG encoder support Dan Carpenter
2021-04-23 12:51 ` Philipp Zabel [this message]
2022-06-15 8:20 Dan Carpenter
2022-06-15 12:24 ` Philipp Zabel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9298701d11e591e23b7438d9ed027a56f129a0f1.camel@pengutronix.de \
--to=p.zabel@pengutronix.de \
--cc=dan.carpenter@oracle.com \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.