[media] vivid: fix buffer overrun

The random_line buffer must be twice the maximum width, but it only allocated the maximum width, so it was only half the size it needed to be. Surprisingly I never saw the kernel fail on this, but the same TPG code used in qv4l2 crashed and valgrind helped me track this bug down. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
git-mirror · Oct 21, 2014 · c204e1f · c204e1f
1 parent a0bd3e0
commit c204e1f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/media/platform/vivid/vivid-tpg.c b/drivers/media/platform/vivid/vivid-tpg.c
@@ -136,7 +136,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w)
 		tpg->black_line[plane] = vzalloc(max_w * pixelsz);
 		if (!tpg->black_line[plane])
 			return -ENOMEM;
-		tpg->random_line[plane] = vzalloc(max_w * pixelsz);
+		tpg->random_line[plane] = vzalloc(max_w * 2 * pixelsz);
 		if (!tpg->random_line[plane])
 			return -ENOMEM;
 	}