Skip to content

Commit 607bcc4

Browse files
Sakari Ailusmchehab
Sakari Ailus
authored and
mchehab
committed
media: i2c: ccs: Check rules is non-NULL
Fix the following smatch warning: drivers/media/i2c/ccs/ccs-data.c:524 ccs_data_parse_rules() warn: address of NULL pointer 'rules' The CCS static data rule parser does not check an if rule has been obtained before checking for other rule types (which depend on the if rule). In practice this means parsing invalid CCS static data could lead to dereferencing a NULL pointer. Reported-by: Hans Verkuil <[email protected]> Fixes: a6b396f ("media: ccs: Add CCS static data parser library") Cc: [email protected] # for 5.11 and up Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]>
1 parent da57d12 commit 607bcc4

File tree

1 file changed

+56
-45
lines changed

1 file changed

+56
-45
lines changed

drivers/media/i2c/ccs/ccs-data.c

Lines changed: 56 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -464,8 +464,7 @@ static int ccs_data_parse_rules(struct bin_container *bin,
464464
rule_payload = __rule_type + 1;
465465
rule_plen2 = rule_plen - sizeof(*__rule_type);
466466

467-
switch (*__rule_type) {
468-
case CCS_DATA_BLOCK_RULE_ID_IF: {
467+
if (*__rule_type == CCS_DATA_BLOCK_RULE_ID_IF) {
469468
const struct __ccs_data_block_rule_if *__if_rules =
470469
rule_payload;
471470
const size_t __num_if_rules =
@@ -514,49 +513,61 @@ static int ccs_data_parse_rules(struct bin_container *bin,
514513
rules->if_rules = if_rule;
515514
rules->num_if_rules = __num_if_rules;
516515
}
517-
break;
518-
}
519-
case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS:
520-
rval = ccs_data_parse_reg_rules(bin, &rules->read_only_regs,
521-
&rules->num_read_only_regs,
522-
rule_payload,
523-
rule_payload + rule_plen2,
524-
dev);
525-
if (rval)
526-
return rval;
527-
break;
528-
case CCS_DATA_BLOCK_RULE_ID_FFD:
529-
rval = ccs_data_parse_ffd(bin, &rules->frame_format,
530-
rule_payload,
531-
rule_payload + rule_plen2,
532-
dev);
533-
if (rval)
534-
return rval;
535-
break;
536-
case CCS_DATA_BLOCK_RULE_ID_MSR:
537-
rval = ccs_data_parse_reg_rules(bin,
538-
&rules->manufacturer_regs,
539-
&rules->num_manufacturer_regs,
540-
rule_payload,
541-
rule_payload + rule_plen2,
542-
dev);
543-
if (rval)
544-
return rval;
545-
break;
546-
case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT:
547-
rval = ccs_data_parse_pdaf_readout(bin,
548-
&rules->pdaf_readout,
549-
rule_payload,
550-
rule_payload + rule_plen2,
551-
dev);
552-
if (rval)
553-
return rval;
554-
break;
555-
default:
556-
dev_dbg(dev,
557-
"Don't know how to handle rule type %u!\n",
558-
*__rule_type);
559-
return -EINVAL;
516+
} else {
517+
/* Check there was an if rule before any other rules */
518+
if (bin->base && !rules)
519+
return -EINVAL;
520+
521+
switch (*__rule_type) {
522+
case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS:
523+
rval = ccs_data_parse_reg_rules(bin,
524+
rules ?
525+
&rules->read_only_regs : NULL,
526+
rules ?
527+
&rules->num_read_only_regs : NULL,
528+
rule_payload,
529+
rule_payload + rule_plen2,
530+
dev);
531+
if (rval)
532+
return rval;
533+
break;
534+
case CCS_DATA_BLOCK_RULE_ID_FFD:
535+
rval = ccs_data_parse_ffd(bin, rules ?
536+
&rules->frame_format : NULL,
537+
rule_payload,
538+
rule_payload + rule_plen2,
539+
dev);
540+
if (rval)
541+
return rval;
542+
break;
543+
case CCS_DATA_BLOCK_RULE_ID_MSR:
544+
rval = ccs_data_parse_reg_rules(bin,
545+
rules ?
546+
&rules->manufacturer_regs : NULL,
547+
rules ?
548+
&rules->num_manufacturer_regs : NULL,
549+
rule_payload,
550+
rule_payload + rule_plen2,
551+
dev);
552+
if (rval)
553+
return rval;
554+
break;
555+
case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT:
556+
rval = ccs_data_parse_pdaf_readout(bin,
557+
rules ?
558+
&rules->pdaf_readout : NULL,
559+
rule_payload,
560+
rule_payload + rule_plen2,
561+
dev);
562+
if (rval)
563+
return rval;
564+
break;
565+
default:
566+
dev_dbg(dev,
567+
"Don't know how to handle rule type %u!\n",
568+
*__rule_type);
569+
return -EINVAL;
570+
}
560571
}
561572
__next_rule = __next_rule + rule_hlen + rule_plen;
562573
}

0 commit comments

Comments
 (0)