[libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible buffer overrun in metadata parsing
Kieran Bingham
kieran.bingham at ideasonboard.com
Sat Jun 19 00:00:15 CEST 2021
Hi Naush,
On 15/06/2021 15:42, Naushir Patuck wrote:
> The SMIA metadata parser could possibly read one byte past the end of the
> buffer as the buffer size test ran after the read operation. Fix this.
>
Ohhh subtle, I wonder if this is in the coverity scan issues....
I can't see it there ... perhaps it doesn't know that buffer.size() is
the size of the buffer though...
But it sounds right to me.
Reviewed-by: Kieran Bingham <kieran.bingham at ideasonboard.com>
> Signed-off-by: Naushir Patuck <naush at raspberrypi.com>
> ---
> src/ipa/raspberrypi/md_parser_smia.cpp | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/ipa/raspberrypi/md_parser_smia.cpp b/src/ipa/raspberrypi/md_parser_smia.cpp
> index 5c413f1b55cc..0a14875575a2 100644
> --- a/src/ipa/raspberrypi/md_parser_smia.cpp
> +++ b/src/ipa/raspberrypi/md_parser_smia.cpp
> @@ -71,8 +71,8 @@ MdParserSmia::ParseStatus MdParserSmia::findRegs(libcamera::Span<const uint8_t>
> return NO_LINE_START;
> } else {
> /* allow a zero line length to mean "hunt for the next line" */
> - while (buffer[current_offset] != LINE_START &&
> - current_offset < buffer.size())
> + while (current_offset < buffer.size() &&
> + buffer[current_offset] != LINE_START)
> current_offset++;
>
> if (current_offset == buffer.size())
>
--
Regards
--
Kieran
More information about the libcamera-devel
mailing list