diff options
author | Mauro Carvalho Chehab <mchehab@infradead.org> | 2006-02-26 19:19:08 -0300 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@infradead.org> | 2006-02-26 19:19:08 -0300 |
commit | 70f758da9596e63f983193d3324a37af3a522ebf (patch) | |
tree | 6800317972635dae8a78b5eb7219368a690051ba /linux/drivers/media/video/bttv-risc.c | |
parent | f93a9b21d5d720be78e36f20d027ba72ed021b4a (diff) | |
download | mediapointer-dvb-s2-70f758da9596e63f983193d3324a37af3a522ebf.tar.gz mediapointer-dvb-s2-70f758da9596e63f983193d3324a37af3a522ebf.tar.bz2 |
bttv: correct bttv_risc_packed buffer size
From: Duncan Sands <duncan.sands@math.u-psud.fr>
This patch fixes the strange crashes I was seeing after using
bttv card, caused by a buffer overflow in bttv_risc_packed.
The instruction buffer size calculation contains two errors:
(a) a non-zero padding value can push the start of the next bpl
section to just before a page border, leading to more scanline
splits and thus additional instructions.
(b) the first DMA region can be smaller than one page, so there can
be a scanline split even if bpl*lines is smaller than PAGE_SIZE.
For example, consider the case where offset is 0, bpl is 2, padding
is 4094, lines is smaller than 2048, the first DMA region has size 1
and all others have size PAGE_SIZE, assumed to equal 4096. Then
all bpl regions cross page borders and the number of instructions
written is 2*lines+2, rather than lines+2 (the current estimate).
With this patch the number of instructions for this example is
estimated to be 2*lines+3.
Also, the BUG_ON that was supposed to catch buffer overflows contained
a thinko causing it fire only if the buffer was overrun by a factor of
16 or more, so it fixes the the BUG_ON's (using sizeof rather than "4").
Signed-off-by: Duncan Sands <baldrick@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Diffstat (limited to 'linux/drivers/media/video/bttv-risc.c')
-rw-r--r-- | linux/drivers/media/video/bttv-risc.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/linux/drivers/media/video/bttv-risc.c b/linux/drivers/media/video/bttv-risc.c index acceee39a..4efe74dd8 100644 --- a/linux/drivers/media/video/bttv-risc.c +++ b/linux/drivers/media/video/bttv-risc.c @@ -52,8 +52,10 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc, int rc; /* estimate risc mem: worst case is one write per page border + - one write per scan line + sync + jump (all 2 dwords) */ - instructions = (bpl * lines) / PAGE_SIZE + lines; + one write per scan line + sync + jump (all 2 dwords). padding + can cause next bpl to start close to a page border. First DMA + region may be smaller than PAGE_SIZE */ + instructions = 1 + ((bpl + padding) * lines) / PAGE_SIZE + lines; instructions += 2; if ((rc = btcx_riscmem_alloc(btv->c.pci,risc,instructions*8)) < 0) return rc; @@ -105,7 +107,7 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; - BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); + BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size); return 0; } @@ -223,7 +225,7 @@ bttv_risc_planar(struct bttv *btv, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; - BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); + BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size); return 0; } @@ -308,7 +310,7 @@ bttv_risc_overlay(struct bttv *btv, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; - BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); + BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size); kfree(skips); return 0; } |