From 70e19345a591f463772448d33d065e33d1703388 Mon Sep 17 00:00:00 2001 From: Feng Jiang Date: Mon, 22 May 2023 14:27:25 +0800 Subject: [PATCH] virgl/video: Fix out-of-bounds access in fill_mpeg4_picture_desc() An out-of-bounds access has occurred to array ref[2] and it needs to be fixed. Fixes: 6b5aecb19558 ("virgl: add support for hardware video acceleration") Signed-off-by: Feng Jiang Reviewed-by: Gert Wollny Part-of: (cherry picked from commit 5c2f6d3f8e8bdabf93ceb6e5c34e4fffa865bd41) --- .pick_status.json | 2 +- src/gallium/drivers/virgl/virgl_video.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index 67d02a8180d..4d46ddfef85 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -1867,7 +1867,7 @@ "description": "virgl/video: Fix out-of-bounds access in fill_mpeg4_picture_desc()", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "6b5aecb19558200fd39fda46db08456ba7acc180" }, diff --git a/src/gallium/drivers/virgl/virgl_video.c b/src/gallium/drivers/virgl/virgl_video.c index f5aa89db141..72b7f8f3196 100644 --- a/src/gallium/drivers/virgl/virgl_video.c +++ b/src/gallium/drivers/virgl/virgl_video.c @@ -551,7 +551,7 @@ static int fill_mpeg4_picture_desc(const struct pipe_picture_desc *desc, ITEM_SET(vmpeg4, mpeg4, top_field_first); ITEM_CPY(vmpeg4, mpeg4, intra_matrix); ITEM_CPY(vmpeg4, mpeg4, non_intra_matrix); - for (i = 0; i < 16; i++) { + for (i = 0; i < ARRAY_SIZE(mpeg4->ref); i++) { vbuf = virgl_video_buffer(mpeg4->ref[i]); vmpeg4->ref[i] = vbuf ? vbuf->handle : 0; }