CVE-2026-46263

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix out-of-bounds stream encoder index v3

eng id can be negative and that stream enc regs[] can be indexed out of bounds.

eng id is used directly as an index into stream enc regs[], which has only 5 entries. When eng id is 5 (ENGINE ID DIGF) or negative, this can access memory past the end of the array.

Add a bounds check using ARRAY SIZE() before using eng id as an index. The unsigned cast also rejects negative values.

This avoids out-of-bounds access.

Fixes the below smatch error: dcn* resource.c: stream encoder create() may index stream enc regs[eng id] out of bounds (size 5).

drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351 resource.c 1246 static struct stream encoder *dcn35 stream encoder create( 1247 enum engine id eng id, 1248 struct dc context *ctx) 1249 {

...

1255 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */ 1257 if (eng id <= ENGINE ID DIGF) {

ENGINE ID DIGF is 5. should <= be <?

Unrelated but, ugh, why is Smatch saying that "eng id" can be negative? end id is type signed long, but there are checks in the caller which prevent it from being negative.

1258 vpg inst = eng id; 1259 afmt inst = eng id; 1260 } else 1261 return NULL; 1262

...

1281 1282 dcn35 dio stream encoder construct(enc1, ctx, ctx->dc bios, 1283 eng id, vpg, afmt, --> 1284 &stream enc regs[eng id], ^^^^^^^^^^^^^^^^^^^^^^^ This stream enc regs[] array has 5 elements so we are one element beyond the end of the array.

...

1287 return &enc1->base; 1288 }

v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast

v3: The compiler already knows how to compare the two values, so the cast (int) is not needed. (Roman)