From patchwork Tue Jun 15 14:42:10 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Naushir Patuck <naush@raspberrypi.com>
X-Patchwork-Id: 12605
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 06286C3218
	for <parsemail@patchwork.libcamera.org>;
	Tue, 15 Jun 2021 14:42:20 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id C8AC268946;
	Tue, 15 Jun 2021 16:42:17 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=raspberrypi.com header.i=@raspberrypi.com
	header.b="R224ZhPu"; dkim-atps=neutral
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com
	[IPv6:2a00:1450:4864:20::436])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 2FF0C6029D
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 15 Jun 2021 16:42:16 +0200 (CEST)
Received: by mail-wr1-x436.google.com with SMTP id v9so2348162wrx.6
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 15 Jun 2021 07:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=raspberrypi.com; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=qZ5x/QJR9ar257IFq88wn4YlpH7vJmdUmMNASJJkMdM=;
	b=R224ZhPuqIf9XDpp9StkQwjEywP0quQ1Jema/tfdPAaZHJKY3JWJ3p327/Z+wIEbiT
	2cq0rebJ/FeB2ksqGoslP9/U+5+PzN3oALVQl6QFbot1cIqIxqSwdjurlmeztKkPkfuC
	cFJf9eQzwEyCFqWkg3yfDrVy5Rp854EwyGZIv94PF6NmkJ4/kLoaM6QvwxzclSz9Zjn2
	h2iscb6SxPynJCCGwdsBHeMEauVHIh5V2y2wGLva1eY7r7zGPOgXQROR72uGhhAGnS4X
	Qv+eFtAFFgxfBuoozlxUOb94TNX0LVEysyYJFrYg4TU8G0tQ3v2N0LF9O3owUBk9/M8J
	rI6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=qZ5x/QJR9ar257IFq88wn4YlpH7vJmdUmMNASJJkMdM=;
	b=K41diAXro+oCpHnYp7MvI5v4il5hIo1JeBIece2JJVHSJBp3FJ3xwJvjUc3AU9qNQY
	JyBbh/ALLgoP8qJIyYarNdIKprckm7DNOFzU8xys2NMuNK++LlX4DNE7D8GXEFrktypS
	J0rM7vb4RmW0ke4XOm+m1E4uM5BhyQr4nWH6ZkJLmA3rskfFpwEMTgQwkRucPK7L5gHq
	GMb3gmYj1pOA5Y60rK3AL4sErmWH+9Lzn+VNDBQWo4yzihQs+IIKivWr815IY9E3874O
	PcBknZk8+ajNs8jbd4N4/VIR/vV8NKXMIMPkIgZSkdR5uDvVbn2owzfxmu8/a/O62ZaI
	Y22Q==
X-Gm-Message-State: AOAM533N25v/ZSahLBStceNjOdfPDcMfNVkNp07q1L+7jmwgVCvQ0b3c
	vZbCT7MYn6yUGLFj2WQT2jTzWVYmf5auDA==
X-Google-Smtp-Source: 
 ABdhPJwAOR/bgBH0GN7n2kNH35HBEF/FHvzA6MDGVV7pOggsPgUGrwsGTQW/sTqeROObZGXCGhhNiw==
X-Received: by 2002:a5d:6082:: with SMTP id
	w2mr25666620wrt.209.1623768135660;
	Tue, 15 Jun 2021 07:42:15 -0700 (PDT)
Received: from naush-laptop.pitowers.org
	([2a00:1098:3142:14:5904:b958:1fd:d555])
	by smtp.gmail.com with ESMTPSA id
	k12sm2441142wmr.2.2021.06.15.07.42.14
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Tue, 15 Jun 2021 07:42:15 -0700 (PDT)
From: Naushir Patuck <naush@raspberrypi.com>
To: libcamera-devel@lists.libcamera.org
Date: Tue, 15 Jun 2021 15:42:10 +0100
Message-Id: <20210615144211.173047-3-naush@raspberrypi.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210615144211.173047-1-naush@raspberrypi.com>
References: <20210615144211.173047-1-naush@raspberrypi.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 2/3] ipa: raspberrypi: Fix possible buffer
	overrun in metadata parsing
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

The SMIA metadata parser could possibly read one byte past the end of the
buffer as the buffer size test ran after the read operation. Fix this.

Signed-off-by: Naushir Patuck <naush@raspberrypi.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Reviewed-by: David Plowman <david.plowman@raspberrypi.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 src/ipa/raspberrypi/md_parser_smia.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ipa/raspberrypi/md_parser_smia.cpp b/src/ipa/raspberrypi/md_parser_smia.cpp
index 5c413f1b55cc..0a14875575a2 100644
--- a/src/ipa/raspberrypi/md_parser_smia.cpp
+++ b/src/ipa/raspberrypi/md_parser_smia.cpp
@@ -71,8 +71,8 @@ MdParserSmia::ParseStatus MdParserSmia::findRegs(libcamera::Span<const uint8_t>
 					return NO_LINE_START;
 			} else {
 				/* allow a zero line length to mean "hunt for the next line" */
-				while (buffer[current_offset] != LINE_START &&
-				       current_offset < buffer.size())
+				while (current_offset < buffer.size() &&
+				       buffer[current_offset] != LINE_START)
 					current_offset++;
 
 				if (current_offset == buffer.size())