[PATCH] OOB read and write in mdp_prepare_buffer
yqsun1997 at gmail.com
yqsun1997 at gmail.com
Tue Jun 27 01:27:31 PDT 2023
From: yqsun1997 <yqsun1997 at gmail.com>
Because format in struct img_image_buffer max index is IMG_MAX_PLANES ==3,
The num_planes max index is 8.so will be OOB like in mdp_prepare_buffer.
static void mdp_prepare_buffer(struct img_image_buffer *b,
struct mdp_frame *frame, struct vb2_buffer *vb)
{
struct v4l2_pix_format_mplane *pix_mp = &frame->format.fmt.pix_mp;
unsigned int i;
b->format.colorformat = frame->mdp_fmt->mdp_color;
b->format.ycbcr_prof = frame->ycbcr_prof;
for (i = 0; i < pix_mp->num_planes; ++i) {
u32 stride = mdp_fmt_get_stride(frame->mdp_fmt,
pix_mp->plane_fmt[i].bytesperline, i);
b->format.plane_fmt[i].stride = stride; //oob
......
Signed-off-by: yqsun1997 <yqsun1997 at gmail.com>
---
drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h
index ae0396806..e2e991a34 100644
--- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h
+++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h
@@ -11,7 +11,7 @@
#define IMG_MAX_HW_INPUTS 3
#define IMG_MAX_HW_OUTPUTS 4
-#define IMG_MAX_PLANES 3
+#define IMG_MAX_PLANES 8
#define IMG_MAX_COMPONENTS 20
struct img_crop {
--
2.39.2
More information about the linux-arm-kernel
mailing list