From: Hans Verkuil Date: Tue, 7 Oct 2014 11:58:55 +0000 (-0300) Subject: [media] vivid: fix buffer overrun X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c204e1fafbd50a158a34c8a5bd9682cb04ecb29b;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git [media] vivid: fix buffer overrun The random_line buffer must be twice the maximum width, but it only allocated the maximum width, so it was only half the size it needed to be. Surprisingly I never saw the kernel fail on this, but the same TPG code used in qv4l2 crashed and valgrind helped me track this bug down. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/platform/vivid/vivid-tpg.c b/drivers/media/platform/vivid/vivid-tpg.c index 0c6fa53fa646..cbcd6250e7b2 100644 --- a/drivers/media/platform/vivid/vivid-tpg.c +++ b/drivers/media/platform/vivid/vivid-tpg.c @@ -136,7 +136,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) tpg->black_line[plane] = vzalloc(max_w * pixelsz); if (!tpg->black_line[plane]) return -ENOMEM; - tpg->random_line[plane] = vzalloc(max_w * pixelsz); + tpg->random_line[plane] = vzalloc(max_w * 2 * pixelsz); if (!tpg->random_line[plane]) return -ENOMEM; }