提交 c204e1fa 编写于 作者: H Hans Verkuil 提交者: Mauro Carvalho Chehab

[media] vivid: fix buffer overrun

The random_line buffer must be twice the maximum width, but it only allocated
the maximum width, so it was only half the size it needed to be.

Surprisingly I never saw the kernel fail on this, but the same TPG code used in
qv4l2 crashed and valgrind helped me track this bug down.
Signed-off-by: NHans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
上级 a0bd3e0b
......@@ -136,7 +136,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w)
tpg->black_line[plane] = vzalloc(max_w * pixelsz);
if (!tpg->black_line[plane])
return -ENOMEM;
tpg->random_line[plane] = vzalloc(max_w * pixelsz);
tpg->random_line[plane] = vzalloc(max_w * 2 * pixelsz);
if (!tpg->random_line[plane])
return -ENOMEM;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册