From patchwork Sat Jan 30 14:44:32 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <dan.carpenter@oracle.com>
X-Patchwork-Id: 8171411
Return-Path: <linux-fbdev-owner@kernel.org>
X-Original-To: patchwork-linux-fbdev@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 70804BEEE5
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Sat, 30 Jan 2016 14:44:50 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A338820396
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Sat, 30 Jan 2016 14:44:49 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id AB8B120395
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Sat, 30 Jan 2016 14:44:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756989AbcA3Oor (ORCPT
	<rfc822;patchwork-linux-fbdev@patchwork.kernel.org>);
	Sat, 30 Jan 2016 09:44:47 -0500
Received: from aserp1040.oracle.com ([141.146.126.69]:40175 "EHLO
	aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756980AbcA3Oor (ORCPT
	<rfc822;linux-fbdev@vger.kernel.org>);
	Sat, 30 Jan 2016 09:44:47 -0500
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74])
	by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with
	ESMTP id u0UEigNs008996
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Sat, 30 Jan 2016 14:44:42 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
	by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u0UEif4c012018
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Sat, 30 Jan 2016 14:44:41 GMT
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11])
	by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id
	u0UEid9N029404; Sat, 30 Jan 2016 14:44:40 GMT
Received: from mwanda (/154.0.139.178)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Sat, 30 Jan 2016 06:44:39 -0800
Date: Sat, 30 Jan 2016 17:44:32 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>,
	Jaya Kumar <jayakumar.lkml@gmail.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>,
	linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] video: fbdev: metronomefb: two harmless off by one bugs
Message-ID: <20160130144432.GF3462@mwanda>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Sender: linux-fbdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fbdev.vger.kernel.org>
X-Mailing-List: linux-fbdev@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

par->metromem_cmd->args[] is an array of 31 elements of size u16.  Here
we have initialized the first "i" elements and want to set the rest to
zero.

The issue here is that ARRAY_SIZE(par->metromem_cmd->args) is 31 and not
32 as in the original code.  It means that we set ->csum to zero, but
that is harmless because we immediately set it to the correct value on
the next line.

Still, the buffer overflow upsets static checkers so let's correct the
math.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/video/fbdev/metronomefb.c b/drivers/video/fbdev/metronomefb.c
index ad04a01..abb6bbf 100644
--- a/drivers/video/fbdev/metronomefb.c
+++ b/drivers/video/fbdev/metronomefb.c
@@ -354,7 +354,8 @@ static int metronome_powerup_cmd(struct metronomefb_par *par)
 	}
 
 	/* the rest are 0 */
-	memset((u8 *) (par->metromem_cmd->args + i), 0, (32-i)*2);
+	memset(&par->metromem_cmd->args[i], 0,
+	       (ARRAY_SIZE(par->metromem_cmd->args) - i) * 2);
 
 	par->metromem_cmd->csum = cs;
 
@@ -376,7 +377,8 @@ static int metronome_config_cmd(struct metronomefb_par *par)
 	memcpy(par->metromem_cmd->args, epd_frame_table[par->dt].config,
 		sizeof(epd_frame_table[par->dt].config));
 	/* the rest are 0 */
-	memset((u8 *) (par->metromem_cmd->args + 4), 0, (32-4)*2);
+	memset(&par->metromem_cmd->args[4], 0,
+	       (ARRAY_SIZE(par->metromem_cmd->args) - 4) * 2);
 
 	par->metromem_cmd->csum = 0xCC10;
 	par->metromem_cmd->csum += calc_img_cksum(par->metromem_cmd->args, 4);