media: mxl5005s: Bounds check size used for max array index

The use of state->CH_Ctrl[i].size in a shift operation implies that its value can be as much as 32, but the state->CH_Ctrl[i].val array is only 25 in size. Bounds check the size before shifting and looping. Fixes warnings seen with GCC 13: ../drivers/media/tuners/mxl5005s.c: In function 'MXL_ControlWrite_Group.isra': ../drivers/media/tuners/mxl5005s.c:3450:70: warning: array subscript 32 is above array bounds of 'u16[25]' {aka 'short unsigned int[25]'} [-Warray-bounds=] 3450 | state->CH_Ctrl[i].val[j] = (u8)((value >> j) & 0x01); | ~~~~~~~~~~~~~~~~~~~~~^~~ ../drivers/media/tuners/mxl5005s.c:238:13: note: while referencing 'val' 238 | u16 val[25]; /* Binary representation of Value */ | ^~~ Cc: Colin Ian King <colin.i.king@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>

media: mxl5005s: Bounds check size used for max array index
The use of state->CH_Ctrl[i].size in a shift operation implies that its value can be as much as 32, but the state->CH_Ctrl[i].val array is only 25 in size. Bounds check the size before shifting and looping. Fixes warnings seen with GCC 13: ../drivers/media/tuners/mxl5005s.c: In function 'MXL_ControlWrite_Group.isra': ../drivers/media/tuners/mxl5005s.c:3450:70: warning: array subscript 32 is above array bounds of 'u16[25]' {aka 'short unsigned int[25]'} [-Warray-bounds=] 3450 | state->CH_Ctrl[i].val[j] = (u8)((value >> j) & 0x01); | ~~~~~~~~~~~~~~~~~~~~~^~~ ../drivers/media/tuners/mxl5005s.c:238:13: note: while referencing 'val' 238 | u16 val[25]; /* Binary representation of Value */ | ^~~ Cc: Colin Ian King <colin.i.king@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
d5872e93 · Kees Cook · Mauro Carvalho Chehab · de163422 · d5872e93
Commit d5872e93 authored Feb 04, 2023 by Kees Cook Committed by Mauro Carvalho Chehab Mar 19, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

drivers/media/tuners/mxl5005s.c drivers/media/tuners/mxl5005s.c +8 -4

No files found.
--- a/drivers/media/tuners/mxl5005s.c
+++ b/drivers/media/tuners/mxl5005s.c
@@ -3423,9 +3423,11 @@ static u16 MXL_ControlWrite_Group(struct dvb_frontend *fe, u16 controlNum,

 			if (controlNum == state->Init_Ctrl[i].Ctrl_Num) {

-				highLimit = 1 << state->Init_Ctrl[i].size;
+				u16 size = min_t(u16, state->Init_Ctrl[i].size,
+					       ARRAY_SIZE(state->Init_Ctrl[i].val));
+				highLimit = 1 << size;
 				if (value < highLimit) {
-					for (j = 0; j < state->Init_Ctrl[i].size; j++) {
+					for (j = 0; j < size; j++) {
 						state->Init_Ctrl[i].val[j] = (u8)((value >> j) & 0x01);
 						MXL_RegWriteBit(fe, (u8)(state->Init_Ctrl[i].addr[j]),
 							(u8)(state->Init_Ctrl[i].bit[j]),
@@ -3442,9 +3444,11 @@ static u16 MXL_ControlWrite_Group(struct dvb_frontend *fe, u16 controlNum,

 			if (controlNum == state->CH_Ctrl[i].Ctrl_Num) {

-				highLimit = 1 << state->CH_Ctrl[i].size;
+				u16 size = min_t(u16, state->CH_Ctrl[i].size,
+					       ARRAY_SIZE(state->CH_Ctrl[i].val));
+				highLimit = 1 << size;
 				if (value < highLimit) {
-					for (j = 0; j < state->CH_Ctrl[i].size; j++) {
+					for (j = 0; j < size; j++) {
 						state->CH_Ctrl[i].val[j] = (u8)((value >> j) & 0x01);
 						MXL_RegWriteBit(fe, (u8)(state->CH_Ctrl[i].addr[j]),
 							(u8)(state->CH_Ctrl[i].bit[j]),