Commit 4a287cfe authored by Duncan Sands's avatar Duncan Sands Committed by Mauro Carvalho Chehab

V4L/DVB (3394): Bttv: correct bttv_risc_packed buffer size

This patch fixes the strange crashes I was seeing after using
bttv card, caused by a buffer overflow in bttv_risc_packed.
The instruction buffer size calculation contains two errors:
(a) a non-zero padding value can push the start of the next bpl
section to just before a page border, leading to more scanline
splits and thus additional instructions.
(b) the first DMA region can be smaller than one page, so there can
be a scanline split even if bpl*lines is smaller than PAGE_SIZE.
For example, consider the case where offset is 0, bpl is 2, padding
is 4094, lines is smaller than 2048, the first DMA region has size 1
and all others have size PAGE_SIZE, assumed to equal 4096.  Then
all bpl regions cross page borders and the number of instructions
written is 2*lines+2, rather than lines+2 (the current estimate).
With this patch the number of instructions for this example is
estimated to be 2*lines+3.
Also, the BUG_ON that was supposed to catch buffer overflows contained
a thinko causing it fire only if the buffer was overrun by a factor of
16 or more, so it fixes the the BUG_ON's (using sizeof rather than "4").
Signed-off-by: default avatarDuncan Sands <baldrick@free.fr>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@infradead.org>
parent 6457af5f
...@@ -51,8 +51,10 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc, ...@@ -51,8 +51,10 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc,
int rc; int rc;
/* estimate risc mem: worst case is one write per page border + /* estimate risc mem: worst case is one write per page border +
one write per scan line + sync + jump (all 2 dwords) */ one write per scan line + sync + jump (all 2 dwords). padding
instructions = (bpl * lines) / PAGE_SIZE + lines; can cause next bpl to start close to a page border. First DMA
region may be smaller than PAGE_SIZE */
instructions = 1 + ((bpl + padding) * lines) / PAGE_SIZE + lines;
instructions += 2; instructions += 2;
if ((rc = btcx_riscmem_alloc(btv->c.pci,risc,instructions*8)) < 0) if ((rc = btcx_riscmem_alloc(btv->c.pci,risc,instructions*8)) < 0)
return rc; return rc;
...@@ -104,7 +106,7 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc, ...@@ -104,7 +106,7 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc,
/* save pointer to jmp instruction address */ /* save pointer to jmp instruction address */
risc->jmp = rp; risc->jmp = rp;
BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size);
return 0; return 0;
} }
...@@ -222,7 +224,7 @@ bttv_risc_planar(struct bttv *btv, struct btcx_riscmem *risc, ...@@ -222,7 +224,7 @@ bttv_risc_planar(struct bttv *btv, struct btcx_riscmem *risc,
/* save pointer to jmp instruction address */ /* save pointer to jmp instruction address */
risc->jmp = rp; risc->jmp = rp;
BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size);
return 0; return 0;
} }
...@@ -307,7 +309,7 @@ bttv_risc_overlay(struct bttv *btv, struct btcx_riscmem *risc, ...@@ -307,7 +309,7 @@ bttv_risc_overlay(struct bttv *btv, struct btcx_riscmem *risc,
/* save pointer to jmp instruction address */ /* save pointer to jmp instruction address */
risc->jmp = rp; risc->jmp = rp;
BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size);
kfree(skips); kfree(skips);
return 0; return 0;
} }
......
...@@ -163,7 +163,7 @@ int cx88_risc_buffer(struct pci_dev *pci, struct btcx_riscmem *risc, ...@@ -163,7 +163,7 @@ int cx88_risc_buffer(struct pci_dev *pci, struct btcx_riscmem *risc,
/* save pointer to jmp instruction address */ /* save pointer to jmp instruction address */
risc->jmp = rp; risc->jmp = rp;
BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); BUG_ON((risc->jmp - risc->cpu + 2) * sizeof (*risc->cpu) > risc->size);
return 0; return 0;
} }
...@@ -188,7 +188,7 @@ int cx88_risc_databuffer(struct pci_dev *pci, struct btcx_riscmem *risc, ...@@ -188,7 +188,7 @@ int cx88_risc_databuffer(struct pci_dev *pci, struct btcx_riscmem *risc,
/* save pointer to jmp instruction address */ /* save pointer to jmp instruction address */
risc->jmp = rp; risc->jmp = rp;
BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); BUG_ON((risc->jmp - risc->cpu + 2) * sizeof (*risc->cpu) > risc->size);
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment