CVE-2026-46263

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix out-of-bounds stream encoder index v3

engid can be negative and that streamenc_regs[] can be indexed out of bounds.

engid is used directly as an index into streamencregs[], which has only 5 entries. When engid is 5 (ENGINEIDDIGF) or negative, this can access memory past the end of the array.

Add a bounds check using ARRAYSIZE() before using engid as an index. The unsigned cast also rejects negative values.

This avoids out-of-bounds access.

Fixes the below smatch error: dcn*resource.c: streamencodercreate() may index streamencregs[engid] out of bounds (size 5).

drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351resource.c 1246 static struct streamencoder *dcn35streamencodercreate( 1247 enum engineid engid, 1248 struct dccontext *ctx) 1249 {

...

1255
1256         /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */
1257         if (eng_id <= ENGINE_ID_DIGF) {

ENGINEIDDIGF is 5. should <= be

Unrelated but, ugh, why is Smatch saying that "engid" can be negative? endid is type signed long, but there are checks in the caller which prevent it from being negative.

1258                 vpg_inst = eng_id;
1259                 afmt_inst = eng_id;
1260         } else
1261                 return NULL;
1262

...

1281
1282         dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
1283                                         eng_id, vpg, afmt,

--> 1284 &streamencregs[engid], ^^^^^^^^^^^^^^^^^^^^^^^ This streamenc_regs[] array has 5 elements so we are one element beyond the end of the array.

...

1287         return &enc1->base;
1288 }

v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast

v3: The compiler already knows how to compare the two values, so the cast (int) is not needed. (Roman)