Commit 1f65ea41 authored by Hans Verkuil's avatar Hans Verkuil Committed by Mauro Carvalho Chehab
Browse files

media: vivid: dev->bitmap_cap wasn't freed in all cases 



Whenever the compose width/height values change, the dev->bitmap_cap
vmalloc'ed array must be freed and dev->bitmap_cap set to NULL.

This was done in some places, but not all. This is only an issue if
overlay support is enabled and the bitmap clipping is used.

Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: ef834f78 ([media] vivid: add the video capture and output parts)
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
parent f8bcaf71

drivers/media/test-drivers/vivid/vivid-vid-cap.c

+13 −5
Original line number Diff line number Diff line
@@ -453,6 +453,12 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls) 
	tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);

	dev->crop_cap = dev->src_rect;

	dev->crop_bounds_cap = dev->src_rect;

	if (dev->bitmap_cap &&

	    (dev->compose_cap.width != dev->crop_cap.width ||

	     dev->compose_cap.height != dev->crop_cap.height)) {

		vfree(dev->bitmap_cap);

		dev->bitmap_cap = NULL;

	}

	dev->compose_cap = dev->crop_cap;

	if (V4L2_FIELD_HAS_T_OR_B(dev->field_cap))

		dev->compose_cap.height /= 2;
@@ -913,6 +919,8 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection 
	struct vivid_dev *dev = video_drvdata(file);

	struct v4l2_rect *crop = &dev->crop_cap;

	struct v4l2_rect *compose = &dev->compose_cap;

	unsigned orig_compose_w = compose->width;

	unsigned orig_compose_h = compose->height;

	unsigned factor = V4L2_FIELD_HAS_T_OR_B(dev->field_cap) ? 2 : 1;

	int ret;
@@ -1029,17 +1037,17 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection 
			s->r.height /= factor;

		}

		v4l2_rect_map_inside(&s->r, &dev->fmt_cap_rect);

		if (dev->bitmap_cap && (compose->width != s->r.width ||

					compose->height != s->r.height)) {

			vfree(dev->bitmap_cap);

			dev->bitmap_cap = NULL;

		}

		*compose = s->r;

		break;

	default:

		return -EINVAL;

	}



	if (dev->bitmap_cap && (compose->width != orig_compose_w ||

				compose->height != orig_compose_h)) {

		vfree(dev->bitmap_cap);

		dev->bitmap_cap = NULL;

	}

	tpg_s_crop_compose(&dev->tpg, crop, compose);

	return 0;

}