• Duncan Sands's avatar
    V4L/DVB (3394): Bttv: correct bttv_risc_packed buffer size · 4a287cfe
    Duncan Sands authored
    This patch fixes the strange crashes I was seeing after using
    bttv card, caused by a buffer overflow in bttv_risc_packed.
    The instruction buffer size calculation contains two errors:
    (a) a non-zero padding value can push the start of the next bpl
    section to just before a page border, leading to more scanline
    splits and thus additional instructions.
    (b) the first DMA region can be smaller than one page, so there can
    be a scanline split even if bpl*lines is smaller than PAGE_SIZE.
    For example, consider the case where offset is 0, bpl is 2, padding
    is 4094, lines is smaller than 2048, the first DMA region has size 1
    and all others have size PAGE_SIZE, assumed to equal 4096.  Then
    all bpl regions cross page borders and the number of instructions
    written is 2*lines+2, rather than lines+2 (the current estimate).
    With this patch the number of instructions for this example is
    estimated to be 2*lines+3.
    Also, the BUG_ON that was supposed to catch buffer overflows contained
    a thinko causing it fire only if the buffer was overrun by a factor of
    16 or more, so it fixes the the BUG_ON's (using sizeof rather than "4").
    Signed-off-by: default avatarDuncan Sands <baldrick@free.fr>
    Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@infradead.org>
    4a287cfe
bttv-risc.c 22.4 KB