[media] vivid: fix buffer overrun

The random_line buffer must be twice the maximum width, but it only allocated
the maximum width, so it was only half the size it needed to be.

Surprisingly I never saw the kernel fail on this, but the same TPG code used in
qv4l2 crashed and valgrind helped me track this bug down.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

diff --git a/drivers/media/platform/vivid/vivid-tpg.c b/drivers/media/platform/vivid/vivid-tpg.c
index 0c6fa53fa64614f34090e076717c43e094150230..cbcd6250e7b2afc3feec4456337700e3ae11b300 100644 (file)
--- a/drivers/media/platform/vivid/vivid-tpg.c
+++ b/drivers/media/platform/vivid/vivid-tpg.c
@@ -136,7 +136,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w)
                tpg->black_line[plane] = vzalloc(max_w * pixelsz);
                if (!tpg->black_line[plane])
                        return -ENOMEM;
-               tpg->random_line[plane] = vzalloc(max_w * pixelsz);
+               tpg->random_line[plane] = vzalloc(max_w * 2 * pixelsz);
                if (!tpg->random_line[plane])
                        return -ENOMEM;
        }