@@ -414,8 +414,10 @@ static int coda_alloc_framebuffers(struct coda_ctx *ctx,
size = round_up(ysize, 4096) + ysize / 2;
else
size = ysize + ysize / 2;
- if (ctx->codec->src_fourcc == V4L2_PIX_FMT_H264 &&
- dev->devtype->product != CODA_DX6)
+ /* Add space for mvcol buffers */
+ if (dev->devtype->product != CODA_DX6 &&
+ (ctx->codec->src_fourcc == V4L2_PIX_FMT_H264 ||
+ (ctx->codec->src_fourcc == V4L2_PIX_FMT_MPEG4 && i == 0)))
size += ysize / 4;
name = kasprintf(GFP_KERNEL, "fb%d", i);
if (!name) {
The MPEG-4 decoder mvcol buffer was registered, but its size not added to a frame buffer allocation. This could cause the decoder to write past the end of the allocated buffer for large frame sizes. Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> --- drivers/media/platform/coda/coda-bit.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)