The MPEG-4 decoder mvcol buffer was registered, but its size not added
to a frame buffer allocation. This could cause the decoder to write past
the end of the allocated buffer for large frame sizes.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
size = round_up(ysize, 4096) + ysize / 2;
else
size = ysize + ysize / 2;
- if (ctx->codec->src_fourcc == V4L2_PIX_FMT_H264 &&
- dev->devtype->product != CODA_DX6)
+ /* Add space for mvcol buffers */
+ if (dev->devtype->product != CODA_DX6 &&
+ (ctx->codec->src_fourcc == V4L2_PIX_FMT_H264 ||
+ (ctx->codec->src_fourcc == V4L2_PIX_FMT_MPEG4 && i == 0)))
size += ysize / 4;
name = kasprintf(GFP_KERNEL, "fb%d", i);
if (!name) {