23 Aug
2022
23 Aug
'22
10:32 a.m.
On Mon, 22 Aug 2022 20:59:09 +0200, Pierre-Louis Bossart wrote:
+#define SSP_BLOB_V1_0_SIZE 84 +#define SSP_BLOB_V1_0_MDIVC_OFFSET 19 /* offset in u32 */ +#define SSP_BLOB_V1_5_SIZE 96 +#define SSP_BLOB_V1_5_MDIVC_OFFSET 21 /* offset in u32 */
This is 84 in bytes, which is equal with SSP_BLOB_V1_0_size. So...
for (j = 0; j < fmt->fmt_count; j++) {
u32 *blob;
int mdivc_offset;
if (cfg->config.size >= SSP_BLOB_V1_0_SIZE) {
blob = (u32 *)cfg->config.caps;
... the size check is >= 84. If cfg->config.size==84, it may be an out-of-bound read at blob[SSP_BLOB_V1_5_MDIVC_OFFSET]?
I don't think this would really matter in practice, but it's better to have a proper check, of course.
thanks,
Takashi