[libcamera-devel] [PATCH v2 2/2] libcamera: ipa_module: Fix implicit sign-extension in elfSection

Fri Jun 5 17:09:16 CEST 2020

Given how the elfSection() is used, the sub-expression
       (idx * eHdr->e_shentsize)
has effectively two (16 bits, unsigned) operands.
The sub-expression is promoted to type int (32 bits, signed) for
multiplication and then added to eHdr->e_shoff, which is uint32_t
on 32-bit platforms and uint64_t on 64-bit platforms. Since eHdr->e_shoff
is unsigned, the integer conversion rules dictates that the other signed
operand(i.e. the resultant of aforementioned sub-expression) will be
converted to unsigned type too. This causes sign-extension for both of
the above operands to match eHdr->e_shoff's type and should be avoided.

The solution is to explicitly cast one of the operands of the
sub-expression with unsigned int type. Hence, the other operand will be
integer promoted and the resultant will also be of unsigned int type,
not requiring to bother about a sign-extension.

Reported-by: Coverity CID=280008
Reported-by: Coverity CID=280009
Reported-by: Coverity CID=280010
Signed-off-by: Umang Jain <email at uajain.com>
Reviewed-by: Kieran Bingham <kieran.bingham at ideasonboard.com>
---
 src/libcamera/ipa_module.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libcamera/ipa_module.cpp b/src/libcamera/ipa_module.cpp
index f54dd8b..d79151d 100644
--- a/src/libcamera/ipa_module.cpp
+++ b/src/libcamera/ipa_module.cpp
@@ -93,7 +93,8 @@ ElfW(Shdr) *elfSection(Span<uint8_t> elf, ElfW(Ehdr) *eHdr, unsigned int idx)
 	if (idx >= eHdr->e_shnum)
 		return nullptr;
 
-	off_t offset = eHdr->e_shoff + idx * eHdr->e_shentsize;
+	off_t offset = eHdr->e_shoff + idx *
+				       static_cast<uint32_t>(eHdr->e_shentsize);
 	return elfPointer<ElfW(Shdr)>(elf, offset);
 }
 
-- 
2.26.2

