{"id":12605,"url":"https://patchwork.libcamera.org/api/1.1/patches/12605/?format=json","web_url":"https://patchwork.libcamera.org/patch/12605/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/1.1/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20210615144211.173047-3-naush@raspberrypi.com>","date":"2021-06-15T14:42:10","name":"[libcamera-devel,2/3] ipa: raspberrypi: Fix possible buffer overrun in metadata parsing","commit_ref":null,"pull_url":null,"state":"superseded","archived":false,"hash":"5851e6fb1540bff5fbe7cddf49a7d3489776e519","submitter":{"id":34,"url":"https://patchwork.libcamera.org/api/1.1/people/34/?format=json","name":"Naushir Patuck","email":"naush@raspberrypi.com"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/12605/mbox/","series":[{"id":2137,"url":"https://patchwork.libcamera.org/api/1.1/series/2137/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=2137","date":"2021-06-15T14:42:08","name":"Raspberry Pi: Metadata parsing improvements (II)","version":1,"mbox":"https://patchwork.libcamera.org/series/2137/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/12605/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/12605/checks/","tags":{},"headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 06286C3218\n\tfor <parsemail@patchwork.libcamera.org>;\n\tTue, 15 Jun 2021 14:42:20 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id C8AC268946;\n\tTue, 15 Jun 2021 16:42:17 +0200 (CEST)","from mail-wr1-x436.google.com (mail-wr1-x436.google.com\n\t[IPv6:2a00:1450:4864:20::436])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 2FF0C6029D\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tTue, 15 Jun 2021 16:42:16 +0200 (CEST)","by mail-wr1-x436.google.com with SMTP id v9so2348162wrx.6\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tTue, 15 Jun 2021 07:42:16 -0700 (PDT)","from naush-laptop.pitowers.org\n\t([2a00:1098:3142:14:5904:b958:1fd:d555])\n\tby smtp.gmail.com with ESMTPSA id\n\tk12sm2441142wmr.2.2021.06.15.07.42.14\n\t(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n\tTue, 15 Jun 2021 07:42:15 -0700 (PDT)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=raspberrypi.com header.i=@raspberrypi.com\n\theader.b=\"R224ZhPu\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=raspberrypi.com; s=google;\n\th=from:to:cc:subject:date:message-id:in-reply-to:references\n\t:mime-version:content-transfer-encoding;\n\tbh=qZ5x/QJR9ar257IFq88wn4YlpH7vJmdUmMNASJJkMdM=;\n\tb=R224ZhPuqIf9XDpp9StkQwjEywP0quQ1Jema/tfdPAaZHJKY3JWJ3p327/Z+wIEbiT\n\t2cq0rebJ/FeB2ksqGoslP9/U+5+PzN3oALVQl6QFbot1cIqIxqSwdjurlmeztKkPkfuC\n\tcFJf9eQzwEyCFqWkg3yfDrVy5Rp854EwyGZIv94PF6NmkJ4/kLoaM6QvwxzclSz9Zjn2\n\th2iscb6SxPynJCCGwdsBHeMEauVHIh5V2y2wGLva1eY7r7zGPOgXQROR72uGhhAGnS4X\n\tQv+eFtAFFgxfBuoozlxUOb94TNX0LVEysyYJFrYg4TU8G0tQ3v2N0LF9O3owUBk9/M8J\n\trI6A==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references:mime-version:content-transfer-encoding;\n\tbh=qZ5x/QJR9ar257IFq88wn4YlpH7vJmdUmMNASJJkMdM=;\n\tb=K41diAXro+oCpHnYp7MvI5v4il5hIo1JeBIece2JJVHSJBp3FJ3xwJvjUc3AU9qNQY\n\tJyBbh/ALLgoP8qJIyYarNdIKprckm7DNOFzU8xys2NMuNK++LlX4DNE7D8GXEFrktypS\n\tJ0rM7vb4RmW0ke4XOm+m1E4uM5BhyQr4nWH6ZkJLmA3rskfFpwEMTgQwkRucPK7L5gHq\n\tGMb3gmYj1pOA5Y60rK3AL4sErmWH+9Lzn+VNDBQWo4yzihQs+IIKivWr815IY9E3874O\n\tPcBknZk8+ajNs8jbd4N4/VIR/vV8NKXMIMPkIgZSkdR5uDvVbn2owzfxmu8/a/O62ZaI\n\tY22Q==","X-Gm-Message-State":"AOAM533N25v/ZSahLBStceNjOdfPDcMfNVkNp07q1L+7jmwgVCvQ0b3c\n\tvZbCT7MYn6yUGLFj2WQT2jTzWVYmf5auDA==","X-Google-Smtp-Source":"ABdhPJwAOR/bgBH0GN7n2kNH35HBEF/FHvzA6MDGVV7pOggsPgUGrwsGTQW/sTqeROObZGXCGhhNiw==","X-Received":"by 2002:a5d:6082:: with SMTP id\n\tw2mr25666620wrt.209.1623768135660; \n\tTue, 15 Jun 2021 07:42:15 -0700 (PDT)","From":"Naushir Patuck <naush@raspberrypi.com>","To":"libcamera-devel@lists.libcamera.org","Date":"Tue, 15 Jun 2021 15:42:10 +0100","Message-Id":"<20210615144211.173047-3-naush@raspberrypi.com>","X-Mailer":"git-send-email 2.25.1","In-Reply-To":"<20210615144211.173047-1-naush@raspberrypi.com>","References":"<20210615144211.173047-1-naush@raspberrypi.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible buffer\n\toverrun in metadata parsing","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"},"content":"The SMIA metadata parser could possibly read one byte past the end of the\nbuffer as the buffer size test ran after the read operation. Fix this.\n\nSigned-off-by: Naushir Patuck <naush@raspberrypi.com>\n---\n src/ipa/raspberrypi/md_parser_smia.cpp | 4 ++--\n 1 file changed, 2 insertions(+), 2 deletions(-)","diff":"diff --git a/src/ipa/raspberrypi/md_parser_smia.cpp b/src/ipa/raspberrypi/md_parser_smia.cpp\nindex 5c413f1b55cc..0a14875575a2 100644\n--- a/src/ipa/raspberrypi/md_parser_smia.cpp\n+++ b/src/ipa/raspberrypi/md_parser_smia.cpp\n@@ -71,8 +71,8 @@ MdParserSmia::ParseStatus MdParserSmia::findRegs(libcamera::Span<const uint8_t>\n \t\t\t\t\treturn NO_LINE_START;\n \t\t\t} else {\n \t\t\t\t/* allow a zero line length to mean \"hunt for the next line\" */\n-\t\t\t\twhile (buffer[current_offset] != LINE_START &&\n-\t\t\t\t       current_offset < buffer.size())\n+\t\t\t\twhile (current_offset < buffer.size() &&\n+\t\t\t\t       buffer[current_offset] != LINE_START)\n \t\t\t\t\tcurrent_offset++;\n \n \t\t\t\tif (current_offset == buffer.size())\n","prefixes":["libcamera-devel","2/3"]}