projects / linux-block.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a9fef29)
media: coda: cast an operand of multiplication to a larger type
authorAnastasia Belova <abelova@astralinux.ru>
Mon, 5 Feb 2024 15:23:50 +0000 (18:23 +0300)
committerHans Verkuil <hverkuil-cisco@xs4all.nl>
Sun, 25 Aug 2024 06:15:24 +0000 (08:15 +0200)
If the width and height are 0xffff (or close), the result of a
multiplication will overflow.
Cast to a larger type to avoid undefined behavior.

Such values are possible in CODA7, but unlikely.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 918c66fd4126 ("[media] coda: add CODA7541 decoding support")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
drivers/media/platform/chips-media/coda/coda-bit.c patch | blob | blame | history

diff --git a/drivers/media/platform/chips-media/coda/coda-bit.c b/drivers/media/platform/chips-media/coda/coda-bit.c
index ed47d5bd8d61e9db81dae0f4b4c8289092fd330f..84ded154adfe37147218d60278a1c1fac88ecadc 100644 (file)
--- a/drivers/media/platform/chips-media/coda/coda-bit.c
+++ b/drivers/media/platform/chips-media/coda/coda-bit.c
@@ -585,7 +585,7 @@ static int coda_alloc_context_buffers(struct coda_ctx *ctx,
 
        if (!ctx->slicebuf.vaddr && q_data->fourcc == V4L2_PIX_FMT_H264) {
                /* worst case slice size */
-               size = (DIV_ROUND_UP(q_data->rect.width, 16) *
+               size = (unsigned long)(DIV_ROUND_UP(q_data->rect.width, 16) *
                        DIV_ROUND_UP(q_data->rect.height, 16)) * 3200 / 8 + 512;
                ret = coda_alloc_context_buf(ctx, &ctx->slicebuf, size,
                                             "slicebuf");
Linux 6.x block layer and io_uring tree(s)