[lvc-project] [QUESTION] media: dib9000: possible array index overflow in dib9000_fw_init()

[Александр Бураков]

Hello! 

There is a value of the varible "size" check in function 
dib9000_fw_memmbx_sync() in dib9000.c with size of the array b 
which is equal to 40 (u16 b[40] = { 0 };) after 
dib9000_mbx_get_message(state, IN_MSG_FE_FW_DL_DONE, b, &size) call. 
If the var "size" is less than 40 there goes loop for 
with an incrementing var "i". Initial value is equal to 0, 
"i < size" is a loop terminator, i has only even values. In this loop 
there is operation "state->platform.risc.fe_mm[i/2].addr = b[i + 0]". 
"fe_mm[18]" array has only 18 elements. Therefore, there is a possible 
index overflow when i is more than 34 (i >= 36). 

Code: 
if (dib9000_mbx_get_message(state, IN_MSG_FE_FW_DL_DONE, b, &size) < 0 ) // size = [0 .. 254] 
return -EIO; 

if (size > ARRAY_SIZE(b)) { // var size 
dprintk( "error : firmware returned %dbytes needed but the used buffer has only %dbytes\n Firmware init ABORTED" , size, 
( int )ARRAY_SIZE(b)); 
return -EINVAL; 
} 

for (i = 0 ; i < size; i += 2 ) { 
state->platform.risc.fe_mm[i / 2 ].addr = b[i + 0 ]; // i = [0,2,4..38], size(fe_mm) == 18 
state->platform.risc.fe_mm[i / 2 ].size = b[i + 1 ]; // i/2 = [0,1,2..19], fe_mm[i/2] > size => overflow 
} 


Please, could you tell me if there is any bug here or this is OK. 

Found by Linux Verification Center (linuxtesting.org) with SVACE. 

Best regards, 
Aleksandr Burakov 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxtesting.org/pipermail/lvc-project/attachments/20221223/a7654d79/attachment.html>