From e9ca7fc16788e8d4cb52c4ef94ba17caca9f1d35 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Tue, 11 Apr 2006 10:18:57 -0300 Subject: Correct buffer size calculations in cx88-core.c From: Duncan Sands The computation in cx88_risc_buffer suffers from the mistake: a non-zero padding value can cause more page borders to be crossed, leading to big buffer over-runs. This patch changes the additive constant from 3 + 4 to 4 It also changees the constant in cx88_risc_databuffer from 3 + 4 to 2, because 2 dwords are the correct vaule. Signed-off-by: Duncan Sands Signed-off-by: Mauro Carvalho Chehab --- linux/drivers/media/video/cx88/cx88-core.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'linux/drivers/media/video/cx88/cx88-core.c') diff --git a/linux/drivers/media/video/cx88/cx88-core.c b/linux/drivers/media/video/cx88/cx88-core.c index 9636dedcf..9587434ca 100644 --- a/linux/drivers/media/video/cx88/cx88-core.c +++ b/linux/drivers/media/video/cx88/cx88-core.c @@ -163,9 +163,11 @@ int cx88_risc_buffer(struct pci_dev *pci, struct btcx_riscmem *risc, fields++; /* estimate risc mem: worst case is one write per page border + - one write per scan line + syncs + jump (all 2 dwords) */ - instructions = (bpl * lines * fields) / PAGE_SIZE + lines * fields; - instructions += 3 + 4; + one write per scan line + syncs + jump (all 2 dwords). Padding + can cause next bpl to start close to a page border. First DMA + region may be smaller than PAGE_SIZE */ + instructions = fields * (1 + ((bpl + padding) * lines) / PAGE_SIZE + lines); + instructions += 2; if ((rc = btcx_riscmem_alloc(pci,risc,instructions*8)) < 0) return rc; @@ -193,9 +195,11 @@ int cx88_risc_databuffer(struct pci_dev *pci, struct btcx_riscmem *risc, int rc; /* estimate risc mem: worst case is one write per page border + - one write per scan line + syncs + jump (all 2 dwords) */ - instructions = (bpl * lines) / PAGE_SIZE + lines; - instructions += 3 + 4; + one write per scan line + syncs + jump (all 2 dwords). Here + there is no padding and no sync. First DMA region may be smaller + than PAGE_SIZE */ + instructions = 1 + (bpl * lines) / PAGE_SIZE + lines; + instructions += 1; if ((rc = btcx_riscmem_alloc(pci,risc,instructions*8)) < 0) return rc; -- cgit v1.2.3