From 27ac41a81334b527a570f1454dc4a54b16336bbf Mon Sep 17 00:00:00 2001 From: Gerd Knorr Date: Thu, 16 Sep 2004 07:05:48 +0000 Subject: - bttv: fix planat capture. - bttv: add risc buffer size sanity checks. --- linux/drivers/media/video/bttv-risc.c | 15 +++++++-------- linux/drivers/media/video/cx88/cx88-core.c | 4 +++- linux/drivers/media/video/cx88/cx88-i2c.c | 4 ++-- 3 files changed, 12 insertions(+), 11 deletions(-) (limited to 'linux/drivers/media') diff --git a/linux/drivers/media/video/bttv-risc.c b/linux/drivers/media/video/bttv-risc.c index 9f779ac23..fd0cf227e 100644 --- a/linux/drivers/media/video/bttv-risc.c +++ b/linux/drivers/media/video/bttv-risc.c @@ -1,5 +1,5 @@ /* - $Id: bttv-risc.c,v 1.6 2004/09/15 16:15:24 kraxel Exp $ + $Id: bttv-risc.c,v 1.7 2004/09/16 07:05:48 kraxel Exp $ bttv-risc.c -- interfaces to other kernel modules @@ -57,8 +57,6 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc, instructions += 2; if ((rc = btcx_riscmem_alloc(btv->c.pci,risc,instructions*8)) < 0) return rc; - dprintk("bttv%d: risc packed: bpl %d lines %d instr %d size %d ptr %p\n", - btv->c.nr, bpl, lines, instructions, risc->size, risc->cpu); /* sync instruction */ rp = risc->cpu; @@ -103,13 +101,11 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc, offset += todo; } offset += padding; - dprintk("bttv%d: risc packed: line %d ptr %p\n", - btv->c.nr, line, rp); } - dprintk("bttv%d: risc packed: %d sglist elems\n", btv->c.nr, (int)(sg-sglist)); /* save pointer to jmp instruction address */ risc->jmp = rp; + BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); return 0; } @@ -127,6 +123,7 @@ bttv_risc_planar(struct bttv *btv, struct btcx_riscmem *risc, struct scatterlist *ysg; struct scatterlist *usg; struct scatterlist *vsg; + int topfield = (0 == yoffset); int rc; /* estimate risc mem: worst case is one write per page border + @@ -155,13 +152,13 @@ bttv_risc_planar(struct bttv *btv, struct btcx_riscmem *risc, chroma = 1; break; case 1: - if (!yoffset) + if (topfield) chroma = ((line & 1) == 0); else chroma = ((line & 1) == 1); break; case 2: - if (!yoffset) + if (topfield) chroma = ((line & 3) == 0); else chroma = ((line & 3) == 2); @@ -226,6 +223,7 @@ bttv_risc_planar(struct bttv *btv, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; + BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); return 0; } @@ -310,6 +308,7 @@ bttv_risc_overlay(struct bttv *btv, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; + BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); kfree(skips); return 0; } diff --git a/linux/drivers/media/video/cx88/cx88-core.c b/linux/drivers/media/video/cx88/cx88-core.c index f5c16de32..5edc9e9c2 100644 --- a/linux/drivers/media/video/cx88/cx88-core.c +++ b/linux/drivers/media/video/cx88/cx88-core.c @@ -1,5 +1,5 @@ /* - * $Id: cx88-core.c,v 1.9 2004/09/15 16:15:24 kraxel Exp $ + * $Id: cx88-core.c,v 1.10 2004/09/16 07:05:48 kraxel Exp $ * * device driver for Conexant 2388x based TV cards * driver core @@ -207,6 +207,7 @@ int cx88_risc_buffer(struct pci_dev *pci, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; + BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); return 0; } @@ -231,6 +232,7 @@ int cx88_risc_databuffer(struct pci_dev *pci, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; + BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); return 0; } diff --git a/linux/drivers/media/video/cx88/cx88-i2c.c b/linux/drivers/media/video/cx88/cx88-i2c.c index 91c9ca206..c01317786 100644 --- a/linux/drivers/media/video/cx88/cx88-i2c.c +++ b/linux/drivers/media/video/cx88/cx88-i2c.c @@ -1,5 +1,5 @@ /* - $Id: cx88-i2c.c,v 1.11 2004/09/15 16:15:24 kraxel Exp $ + $Id: cx88-i2c.c,v 1.12 2004/09/16 07:05:48 kraxel Exp $ cx88-i2c.c -- all the i2c code is here @@ -96,7 +96,7 @@ static int attach_inform(struct i2c_client *client) dprintk(1, "i2c attach [client=%s]\n", i2c_clientname(client)); if (!client->driver->command) - return; + return 0; if (core->tuner_type != UNSET) client->driver->command(client, TUNER_SET_TYPE, &core->tuner_type); -- cgit v1.2.3