From: Dan Carpenter <dan.carpenter@oracle.com>
To: p.zabel@pengutronix.de
Cc: linux-media@vger.kernel.org
Subject: [bug report] media: coda: jpeg: add CODA960 JPEG encoder support
Date: Wed, 15 Jun 2022 11:20:51 +0300 [thread overview]
Message-ID: <YqmWY0MmKWTsAL4D@kili> (raw)
Hello Philipp Zabel,
The patch 96f6f62c4656: "media: coda: jpeg: add CODA960 JPEG encoder
support" from Dec 12, 2019, leads to the following Smatch static
checker warning:
drivers/media/platform/chips-media/coda-jpeg.c:622 coda9_jpeg_gen_enc_huff_tab()
warn: check that incremented offset 'k' is capped
drivers/media/platform/chips-media/coda-jpeg.c
583 static int coda9_jpeg_gen_enc_huff_tab(struct coda_ctx *ctx, int tab_num,
584 int *ehufsi, int *ehufco)
585 {
586 int i, j, k, lastk, si, code, maxsymbol;
587 const u8 *bits, *huffval;
588 struct {
589 int size[256];
590 int code[256];
591 } *huff;
592 static const unsigned char *huff_tabs[4] = {
593 luma_dc, luma_ac, chroma_dc, chroma_ac,
594 };
595 int ret = -EINVAL;
596
597 huff = kzalloc(sizeof(*huff), GFP_KERNEL);
598 if (!huff)
599 return -ENOMEM;
600
601 bits = huff_tabs[tab_num];
602 huffval = huff_tabs[tab_num] + 16;
603
604 maxsymbol = tab_num & 1 ? 256 : 16;
605
606 /* Figure C.1 - Generation of table of Huffman code sizes */
607 k = 0;
608 for (i = 1; i <= 16; i++) {
609 j = bits[i - 1];
610 if (k + j > maxsymbol)
611 goto out;
612 while (j--)
613 huff->size[k++] = i;
614 }
615 lastk = k;
616
617 /* Figure C.2 - Generation of table of Huffman codes */
618 k = 0;
619 code = 0;
620 si = huff->size[0];
621 while (k < lastk) {
^^^^^^^^^
Here we know that k is valid.
--> 622 while (huff->size[k] == si) {
623 huff->code[k++] = code;
But this loop iterates through k without checking if k is still valid.
How do we know that the huff->size[k] check won't read beyond the end
of the loop? Presumably it won't go far beyond the end before it hits
something which is != si.
624 code++;
625 }
626 if (code >= (1 << si))
627 goto out;
628 code <<= 1;
629 si++;
630 }
631
632 /* Figure C.3 - Ordering procedure for encoding procedure code tables */
633 for (k = 0; k < lastk; k++) {
634 i = huffval[k];
635 if (i >= maxsymbol || ehufsi[i])
636 goto out;
637 ehufco[i] = huff->code[k];
638 ehufsi[i] = huff->size[k];
639 }
640
641 ret = 0;
642 out:
643 kfree(huff);
644 return ret;
645 }
regards,
dan carpenter
next reply other threads:[~2022-06-15 8:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-15 8:20 Dan Carpenter [this message]
2022-06-15 12:24 ` [bug report] media: coda: jpeg: add CODA960 JPEG encoder support Philipp Zabel
-- strict thread matches above, loose matches on Subject: below --
2021-04-23 11:44 Dan Carpenter
2021-04-23 12:51 ` Philipp Zabel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YqmWY0MmKWTsAL4D@kili \
--to=dan.carpenter@oracle.com \
--cc=linux-media@vger.kernel.org \
--cc=p.zabel@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.