[{"id":17638,"web_url":"https://patchwork.libcamera.org/comment/17638/","msgid":"<2d402b06-3690-76e2-3643-7cada60b60b2@ideasonboard.com>","date":"2021-06-18T22:00:15","subject":"Re: [libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible\n\tbuffer overrun in metadata parsing","submitter":{"id":4,"url":"https://patchwork.libcamera.org/api/people/4/","name":"Kieran Bingham","email":"kieran.bingham@ideasonboard.com"},"content":"Hi Naush,\n\nOn 15/06/2021 15:42, Naushir Patuck wrote:\n> The SMIA metadata parser could possibly read one byte past the end of the\n> buffer as the buffer size test ran after the read operation. Fix this.\n> \n\nOhhh subtle, I wonder if this is in the coverity scan issues....\n\nI can't see it there ... perhaps it doesn't know that buffer.size() is\nthe size of the buffer though...\n\nBut it sounds right to me.\n\nReviewed-by: Kieran Bingham \n\n> Signed-off-by: Naushir Patuck \n> ---\n> src/ipa/raspberrypi/md_parser_smia.cpp | 4 ++--\n> 1 file changed, 2 insertions(+), 2 deletions(-)\n> \n> diff --git a/src/ipa/raspberrypi/md_parser_smia.cpp b/src/ipa/raspberrypi/md_parser_smia.cpp\n> index 5c413f1b55cc..0a14875575a2 100644\n> --- a/src/ipa/raspberrypi/md_parser_smia.cpp\n> +++ b/src/ipa/raspberrypi/md_parser_smia.cpp\n> @@ -71,8 +71,8 @@ MdParserSmia::ParseStatus MdParserSmia::findRegs(libcamera::Span\n> \t\t\t\t\treturn NO_LINE_START;\n> \t\t\t} else {\n> \t\t\t\t/* allow a zero line length to mean \"hunt for the next line\" */\n> -\t\t\t\twhile (buffer[current_offset] != LINE_START &&\n> -\t\t\t\t current_offset < buffer.size())\n> +\t\t\t\twhile (current_offset < buffer.size() &&\n> +\t\t\t\t buffer[current_offset] != LINE_START)\n> \t\t\t\t\tcurrent_offset++;\n> \n> \t\t\t\tif (current_offset == buffer.size())\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 20E12BD78E\n\tfor ;\n\tFri, 18 Jun 2021 22:00:21 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 1DCA268942;\n\tSat, 19 Jun 2021 00:00:20 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 985856050C\n\tfor ;\n\tSat, 19 Jun 2021 00:00:18 +0200 (CEST)","from [192.168.0.20]\n\t(cpc89244-aztw30-2-0-cust3082.18-1.cable.virginm.net [86.31.172.11])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 244A955C;\n\tSat, 19 Jun 2021 00:00:18 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"C9Puj+9H\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1624053618;\n\tbh=OKdwl00L/hIKzWvsFux2ADXWo+26Vxkp+B7CUlacR3A=;\n\th=Reply-To:To:References:From:Subject:Date:In-Reply-To:From;\n\tb=C9Puj+9HCJ7msMe9uQUQ0TwQW2csUhx1plb6mQb3czipLLw7iCvZxVqqK0HHN4ry5\n\ti/sRZJ8VLrE41xQQHkWsHSIEthmldYHn8MYf9ZdIcORv3dhripW4j2MwTa9gnmtEg+\n\tK+GK6hxY4StUv/CIIigkk6Utfh3Xvo6C+M3cVD6U=","To":"Naushir Patuck ,\n\tlibcamera-devel@lists.libcamera.org","References":"<20210615144211.173047-1-naush@raspberrypi.com>\n\t<20210615144211.173047-3-naush@raspberrypi.com>","From":"Kieran Bingham ","Organization":"Ideas on Board","Message-ID":"<2d402b06-3690-76e2-3643-7cada60b60b2@ideasonboard.com>","Date":"Fri, 18 Jun 2021 23:00:15 +0100","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101\n\tThunderbird/78.8.1","MIME-Version":"1.0","In-Reply-To":"<20210615144211.173047-3-naush@raspberrypi.com>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-GB","Content-Transfer-Encoding":"8bit","Subject":"Re: [libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible\n\tbuffer overrun in metadata parsing","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Reply-To":"kieran.bingham@ideasonboard.com","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":17648,"web_url":"https://patchwork.libcamera.org/comment/17648/","msgid":"","date":"2021-06-21T07:59:47","subject":"Re: [libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible\n\tbuffer overrun in metadata parsing","submitter":{"id":42,"url":"https://patchwork.libcamera.org/api/people/42/","name":"David Plowman","email":"david.plowman@raspberrypi.com"},"content":"Hi Naush\n\nOuch, I wonder who first wrote that... thanks for fixing it!\n\nOn Tue, 15 Jun 2021 at 15:42, Naushir Patuck wrote:\n>\n> The SMIA metadata parser could possibly read one byte past the end of the\n> buffer as the buffer size test ran after the read operation. Fix this.\n>\n> Signed-off-by: Naushir Patuck \n\nReviewed-by: David Plowman \n\nThanks\nDavid\n\n> ---\n> src/ipa/raspberrypi/md_parser_smia.cpp | 4 ++--\n> 1 file changed, 2 insertions(+), 2 deletions(-)\n>\n> diff --git a/src/ipa/raspberrypi/md_parser_smia.cpp b/src/ipa/raspberrypi/md_parser_smia.cpp\n> index 5c413f1b55cc..0a14875575a2 100644\n> --- a/src/ipa/raspberrypi/md_parser_smia.cpp\n> +++ b/src/ipa/raspberrypi/md_parser_smia.cpp\n> @@ -71,8 +71,8 @@ MdParserSmia::ParseStatus MdParserSmia::findRegs(libcamera::Span\n> return NO_LINE_START;\n> } else {\n> /* allow a zero line length to mean \"hunt for the next line\" */\n> - while (buffer[current_offset] != LINE_START &&\n> - current_offset < buffer.size())\n> + while (current_offset < buffer.size() &&\n> + buffer[current_offset] != LINE_START)\n> current_offset++;\n>\n> if (current_offset == buffer.size())\n> --\n> 2.25.1\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 07D43C3218\n\tfor ;\n\tMon, 21 Jun 2021 08:00:02 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id CAD8768935;\n\tMon, 21 Jun 2021 10:00:00 +0200 (CEST)","from mail-wm1-x332.google.com (mail-wm1-x332.google.com\n\t[IPv6:2a00:1450:4864:20::332])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id E14FE60295\n\tfor ;\n\tMon, 21 Jun 2021 09:59:58 +0200 (CEST)","by mail-wm1-x332.google.com with SMTP id\n\tn35-20020a05600c3ba3b02901cdecb6bda8so13117131wms.5\n\tfor ;\n\tMon, 21 Jun 2021 00:59:58 -0700 (PDT)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (2048-bit key;\n\tunprotected) header.d=raspberrypi.com header.i=@raspberrypi.com\n\theader.b=\"nozxtD0C\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=raspberrypi.com; s=google;\n\th=mime-version:references:in-reply-to:from:date:message-id:subject:to\n\t:cc; bh=ob6cjbBkff6i+In5nzKa5YNSkiouJ24VF/9k7zZBvVE=;\n\tb=nozxtD0CJemImKl1RkbULcmVtRArLrSd3dHDGCq0A0ZaYHLXGdWVVw1FfjNbg1VgYf\n\tw/IypCKxfKYrF8BdMMH/SZ91/WDzwTPwNw+hRv3df4m9waY/0HnfOqMv93TwY2pG0SbE\n\tCqVFciNGG4UAXPEHmOtg5J2FbvTaEneF6eXbRp7PTgj6oCTzvOTbGfLOXBedwkCKwXkm\n\tT46AWNt/y1iLfxvW05iHEqu6cpGIHvEjq62TTjce0BHwNGyFkGnfIX5vDfRztD99Yjhn\n\tbUL5S1NWwVA4Csqd1k7OE+C3faroXTz+xy2KmMyoi0gTPrD4EYkDElwlwXfUq/2U+0k8\n\tSC8g==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:mime-version:references:in-reply-to:from:date\n\t:message-id:subject:to:cc;\n\tbh=ob6cjbBkff6i+In5nzKa5YNSkiouJ24VF/9k7zZBvVE=;\n\tb=KrsJ4JPJ1uKd1QJclUXXqRcFHhvm9q7g8ZMpJixhW4IJyy4RXWLfKvF/9zbZ2kr7fv\n\tkdlP8JsHOH2KBAcMLzOaLKeYQzjurp6WqfVPqcswivmdVAkI+NXbjqru4aWPJarVbLdp\n\tCYOLQ/8Ko6RySnwUw1oQgRtQlcAmDriLB3HZPC4LNt7P67xhEgrI6E9BccPSD3yVSgQa\n\t6JQeR0mixnRJxHH92+IeRzemz2M7/Bh6vYgYE9nYIiSrARVQ9CEemdwJ7gCSfm6KjeN6\n\tRGjO8p3miMR3gkKLXPDjJKeXFDLB4rbxirsZ1ih0q8j2RP3zQfWri9y2DvMEJ9ngWb+R\n\tmPig==","X-Gm-Message-State":"AOAM532XWQlsxyNblXesvgkxp0yHuZGDAWvS2prBf5nJwcxZk6wMIVKE\n\t9zbyT2akh/7veaPl2AmA6hu6FV1pyZB9wgxrCm4d4A==","X-Google-Smtp-Source":"ABdhPJwqR3HpGHRLr0dqtddpV7D7/d8sJcKD9Te+d94bXAy4l3p9Css77p5uuKGWtOz+4+ucreuZ0DqiZTZZxobyxA0=","X-Received":"by 2002:a7b:c76a:: with SMTP id\n\tx10mr20085244wmk.135.1624262398423; \n\tMon, 21 Jun 2021 00:59:58 -0700 (PDT)","MIME-Version":"1.0","References":"<20210615144211.173047-1-naush@raspberrypi.com>\n\t<20210615144211.173047-3-naush@raspberrypi.com>","In-Reply-To":"<20210615144211.173047-3-naush@raspberrypi.com>","From":"David Plowman ","Date":"Mon, 21 Jun 2021 08:59:47 +0100","Message-ID":"","To":"Naushir Patuck ","Content-Type":"text/plain; charset=\"UTF-8\"","Subject":"Re: [libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible\n\tbuffer overrun in metadata parsing","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"libcamera devel ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":17690,"web_url":"https://patchwork.libcamera.org/comment/17690/","msgid":"","date":"2021-06-22T10:28:10","subject":"Re: [libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible\n\tbuffer overrun in metadata parsing","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"Hi Naush,\n\nThank you for the patch.\n\nOn Tue, Jun 15, 2021 at 03:42:10PM +0100, Naushir Patuck wrote:\n> The SMIA metadata parser could possibly read one byte past the end of the\n> buffer as the buffer size test ran after the read operation. Fix this.\n> \n> Signed-off-by: Naushir Patuck \n\nReviewed-by: Laurent Pinchart \n\n> ---\n> src/ipa/raspberrypi/md_parser_smia.cpp | 4 ++--\n> 1 file changed, 2 insertions(+), 2 deletions(-)\n> \n> diff --git a/src/ipa/raspberrypi/md_parser_smia.cpp b/src/ipa/raspberrypi/md_parser_smia.cpp\n> index 5c413f1b55cc..0a14875575a2 100644\n> --- a/src/ipa/raspberrypi/md_parser_smia.cpp\n> +++ b/src/ipa/raspberrypi/md_parser_smia.cpp\n> @@ -71,8 +71,8 @@ MdParserSmia::ParseStatus MdParserSmia::findRegs(libcamera::Span\n> \t\t\t\t\treturn NO_LINE_START;\n> \t\t\t} else {\n> \t\t\t\t/* allow a zero line length to mean \"hunt for the next line\" */\n> -\t\t\t\twhile (buffer[current_offset] != LINE_START &&\n> -\t\t\t\t current_offset < buffer.size())\n> +\t\t\t\twhile (current_offset < buffer.size() &&\n> +\t\t\t\t buffer[current_offset] != LINE_START)\n> \t\t\t\t\tcurrent_offset++;\n> \n> \t\t\t\tif (current_offset == buffer.size())","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id B963CC321A\n\tfor ;\n\tTue, 22 Jun 2021 10:28:41 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 01FCA68932;\n\tTue, 22 Jun 2021 12:28:41 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 5C74160292\n\tfor ;\n\tTue, 22 Jun 2021 12:28:39 +0200 (CEST)","from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi\n\t[62.78.145.57])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id C96CBA66;\n\tTue, 22 Jun 2021 12:28:38 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"LRcwL6Oo\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1624357719;\n\tbh=2Q/NJ/Gr1CfpiIbl62zVWe4yZ5pr+2chg0Y4dzQf2kQ=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=LRcwL6Ooc67IWEEcElmcg1plcfTN/x27IxuJBetVWobyZCryFjjXhVifFxqVlmRJ9\n\t0fCuwfMMlTZ2Q/Qfj77aIr4+QgC4L+8mDXVBIid+/m9XZ7sZEBqZd1ldS1Vr/CXyBb\n\thHJRNdk6iJNSyTHjSraI2s6A0eQ67J37f8XhVrds=","Date":"Tue, 22 Jun 2021 13:28:10 +0300","From":"Laurent Pinchart ","To":"Naushir Patuck ","Message-ID":"","References":"<20210615144211.173047-1-naush@raspberrypi.com>\n\t<20210615144211.173047-3-naush@raspberrypi.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20210615144211.173047-3-naush@raspberrypi.com>","Subject":"Re: [libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible\n\tbuffer overrun in metadata parsing","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"libcamera-devel@lists.libcamera.org","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]