media: vivid: free bitmap_cap when updating std/timings/etc.
authorHans Verkuil <hverkuil-cisco@xs4all.nl>
Fri, 9 Nov 2018 13:37:44 +0000 (08:37 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 9 Jan 2019 15:16:44 +0000 (16:16 +0100)
commit 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 upstream.

When vivid_update_format_cap() is called it should free any overlay
bitmap since the compose size will change.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org> # for v3.18 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/media/platform/vivid/vivid-vid-cap.c

index d5c84ecf2027ac3f9b1f8e452e22cc3109cf1cc0..25d4fd4f4c0b2a48a517d2579dc3520284ae8fd8 100644 (file)
@@ -452,6 +452,8 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls)
                tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap));
                break;
        }
+       vfree(dev->bitmap_cap);
+       dev->bitmap_cap = NULL;
        vivid_update_quality(dev);
        tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
        dev->crop_cap = dev->src_rect;