Re: [PATCH 1/4] media: venus: hfi_parser: add check to avoid out of bound access

On 06/11/2024 07:25, Vikash Garodia wrote:

...

...

cap = &caps[core->codecs_count++];           cap->codec = BIT(bit);           cap->domain = VIDC_SESSION_TYPE_ENC;

I don't see how codecs_count could be greater than the control, since you increment by one on each loop but >= is fine too I suppose.

Assume the payload from malicious firmware is packed like below HFI_PROPERTY_PARAM_CODEC_SUPPORTED HFI_PROPERTY_PARAM_CODEC_SUPPORTED HFI_PROPERTY_PARAM_CODEC_SUPPORTED ..... for 32 or more instances of above type

But you do this

cap = &caps[core->codecs_count++];

for each bit.

Anyway consider Dmitry's input re only calling this function once instead.

--- bod