Fix possible buffer rollover

d22f726a · Mikhail Karpenko · d7776315 · d22f726a · d22f726a
Commit d22f726a authored Apr 27, 2016 by Mikhail Karpenko
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 11 deletions

circbuf.c src/drivers/elphel/circbuf.c +4 -4

sensor_common.c src/drivers/elphel/sensor_common.c +7 -7

No files found.
--- a/src/drivers/elphel/circbuf.c
+++ b/src/drivers/elphel/circbuf.c
@@ -286,14 +286,14 @@ unsigned long get_image_length(int byte_offset, unsigned int chn, int *last_chun
 //	if (last_image_chunk < 0)
 //		last_image_chunk += CCAM_DMA_SIZE;
 //	len32 = circbuf_priv[chn].buf_ptr[BYTE2DW(last_image_chunk + (CHUNK_SIZE - CCAM_MMAP_META_LENGTH))];
-	offset = last_image_chunk + (CHUNK_SIZE - CCAM_MMAP_META_LENGTH);
+	offset = X393_BUFFADD(last_image_chunk, CHUNK_SIZE - CCAM_MMAP_META_LENGTH);
 	len32 = circbuf_priv[chn].buf_ptr[BYTE2DW(offset)];
 	if ((len32 & MARKER_FF) != MARKER_FF) {
 		dev_dbg(g_dev_ptr, "failed to get 0xff marker at offset 0x%x\n", offset);
 		byte_offset = X393_BUFFSUB(byte_offset, 0x20);
 		last_image_chunk = X393_BUFFSUB(byte_offset, OFFSET_X40);
-		offset = last_image_chunk + (CHUNK_SIZE - CCAM_MMAP_META_LENGTH);
+		offset = X393_BUFFADD(last_image_chunk, CHUNK_SIZE - CCAM_MMAP_META_LENGTH);
 		len32 = circbuf_priv[chn].buf_ptr[BYTE2DW(offset)];
 		if ((len32 & MARKER_FF) != MARKER_FF) {
 			dev_dbg(g_dev_ptr, "failed to get 0xff marker at CORRECTED offset 0x%x\n", offset);
@@ -301,7 +301,7 @@ unsigned long get_image_length(int byte_offset, unsigned int chn, int *last_chun
 		}
 	}
-	dev_dbg(g_dev_ptr, "got len32 = 0x%lx at 0x%x\n", len32, last_image_chunk + (CHUNK_SIZE - CCAM_MMAP_META_LENGTH));
+	dev_dbg(g_dev_ptr, "got len32 = 0x%lx at 0x%x\n", len32, offset);
 	if (last_chunk_offset != NULL)
 		*last_chunk_offset = last_image_chunk;
@@ -353,7 +353,7 @@ int circbuf_valid_ptr(int *rp_offset, struct interframe_params_t **fpp, unsigned
 		} else {
 			dev_dbg(g_dev_ptr, "interframe pointer and file ponter is advanced by 0x20\n");
 			*fpp = fp_off;
-			*rp_offset += CHUNK_SIZE;
+			*rp_offset = X393_BUFFADD(*rp_offset, CHUNK_SIZE);
 			dump_interframe_params(fp_off, rp);
 			return 2;
 		}

--- a/src/drivers/elphel/sensor_common.c
+++ b/src/drivers/elphel/sensor_common.c
@@ -356,7 +356,7 @@ inline struct interframe_params_t* updateIRQ_interframe(struct jpeg_ptr_t *jptr)
 	int prev_len32 = circbuf_priv_ptr[jptr->chn_num].buf_ptr[BYTE2DW(prev_len32_off)];
 	if ((prev_len32 & MARKER_FF) != MARKER_FF) {
 		printk(KERN_DEBUG "warning: applying offset\n");
-		prev_len32_off -= 0x20;
+		prev_len32_off = X393_BUFFSUB(prev_len32_off, 0x20);
 		prev_len32 = circbuf_priv_ptr[jptr->chn_num].buf_ptr[BYTE2DW(prev_len32_off)];
 		if ((prev_len32 & MARKER_FF) == MARKER_FF) {
 			frame_params_offset = BYTE2DW(X393_BUFFADD(prev_len32_off, 4));
@@ -381,12 +381,12 @@ inline struct interframe_params_t* updateIRQ_interframe(struct jpeg_ptr_t *jptr)
 	virt_addr = interframe;
 	__cpuc_flush_dcache_area(virt_addr, CHUNK_SIZE);
 	outer_inv_range(phys_addr, phys_addr + (CHUNK_SIZE - 1));
-	if (jptr->chn_num == 0) {
+//	if (jptr->chn_num == 0) {
-		printk(KERN_DEBUG "this channel start address: phys_addr = 0x%x; buf_ptr = 0x%x",
+//		printk(KERN_DEBUG "this channel start address: phys_addr = 0x%x; buf_ptr = 0x%x",
-				circbuf_priv_ptr[jptr->chn_num].phys_addr, circbuf_priv_ptr[jptr->chn_num].buf_ptr);
+//				circbuf_priv_ptr[jptr->chn_num].phys_addr, circbuf_priv_ptr[jptr->chn_num].buf_ptr);
-		printk(KERN_DEBUG "invalidate cache for channel %d: phys_addr = 0x%x; virt_addr = 0x%x\n",
+//		printk(KERN_DEBUG "invalidate cache for channel %d: phys_addr = 0x%x; virt_addr = 0x%x\n",
-				jptr->chn_num, phys_addr, virt_addr);
+//				jptr->chn_num, phys_addr, virt_addr);
-	}
+//	}
   return interframe;
 }