From c204e1fafbd50a158a34c8a5bd9682cb04ecb29b Mon Sep 17 00:00:00 2001 From: Hans Verkuil Date: Tue, 7 Oct 2014 08:58:55 -0300 Subject: [PATCH] [media] vivid: fix buffer overrun The random_line buffer must be twice the maximum width, but it only allocated the maximum width, so it was only half the size it needed to be. Surprisingly I never saw the kernel fail on this, but the same TPG code used in qv4l2 crashed and valgrind helped me track this bug down. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/media/platform/vivid/vivid-tpg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/vivid/vivid-tpg.c b/drivers/media/platform/vivid/vivid-tpg.c index 0c6fa53fa646..cbcd6250e7b2 100644 --- a/drivers/media/platform/vivid/vivid-tpg.c +++ b/drivers/media/platform/vivid/vivid-tpg.c @@ -136,7 +136,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) tpg->black_line[plane] = vzalloc(max_w * pixelsz); if (!tpg->black_line[plane]) return -ENOMEM; - tpg->random_line[plane] = vzalloc(max_w * pixelsz); + tpg->random_line[plane] = vzalloc(max_w * 2 * pixelsz); if (!tpg->random_line[plane]) return -ENOMEM; } -- 2.20.1