From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: gpu: nova-core: vbios: limit `BitToken` entry reads Date: Thu, 23 Apr 2026 08:42:23 +1000 Message-ID: In-Reply-To: <20260421-fix-vbios-v3-2-8f648aef7a85@nvidia.com> References: <20260421-fix-vbios-v3-0-8f648aef7a85@nvidia.com> <20260421-fix-vbios-v3-2-8f648aef7a85@nvidia.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Patch Review Good fix. The old code checked `entry_offset + header.token_size > data.len()` but then accessed individual bytes at `entry_offset`, `entry_offset + 1`, etc. without verifying `token_size >= sizeof(BitToken)`. If `token_size` were smaller than 6, the accesses could read beyond the entry. The new code: ```rust if entry_size < size_of::() { return Err(EINVAL); } ``` validates upfront, then uses `.get()` with safe slicing. The refactor to index via `entry[0]`, `entry[1]`, etc. is cleaner and bounds-safe since `entry` is guaranteed to be at least `entry_size` long, which is at least `size_of::()`. No issues. --- Generated by Claude Code Patch Reviewer