The MPEG-4 decoder mvcol buffer was registered, but its size not added
to a frame buffer allocation. This could cause the decoder to write past
the end of the allocated buffer for large frame sizes.
Signed-off-by: Philipp Zabel <p.zabel@xxxxxxxxxxxxxx>
---
drivers/media/platform/coda/coda-bit.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
index 87002bede5ea1..32db1227d0258 100644
--- a/drivers/media/platform/coda/coda-bit.c
+++ b/drivers/media/platform/coda/coda-bit.c
@@ -414,8 +414,10 @@ static int coda_alloc_framebuffers(struct coda_ctx *ctx,
size = round_up(ysize, 4096) + ysize / 2;
else
size = ysize + ysize / 2;
- if (ctx->codec->src_fourcc == V4L2_PIX_FMT_H264 &&
- dev->devtype->product != CODA_DX6)
+ /* Add space for mvcol buffers */
+ if (dev->devtype->product != CODA_DX6 &&
+ (ctx->codec->src_fourcc == V4L2_PIX_FMT_H264 ||
+ (ctx->codec->src_fourcc == V4L2_PIX_FMT_MPEG4 && i == 0)))
size += ysize / 4;
name = kasprintf(GFP_KERNEL, "fb%d", i);
if (!name) {
--
2.11.0
