virgl/video: Fix out-of-bounds access in fill_mpeg4_picture_desc()

An out-of-bounds access has occurred to array ref[2] and it needs
to be fixed.

Fixes: 6b5aecb19558 ("virgl: add support for hardware video acceleration")
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
Reviewed-by: Gert Wollny <gert.wollny@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23160>

diff --git a/src/gallium/drivers/virgl/virgl_video.c b/src/gallium/drivers/virgl/virgl_video.c
index a23583e..1924288 100644 (file)
--- a/src/gallium/drivers/virgl/virgl_video.c
+++ b/src/gallium/drivers/virgl/virgl_video.c
@@ -551,7 +551,7 @@ static int fill_mpeg4_picture_desc(const struct pipe_picture_desc *desc,
     ITEM_SET(vmpeg4, mpeg4, top_field_first);
     ITEM_CPY(vmpeg4, mpeg4, intra_matrix);
     ITEM_CPY(vmpeg4, mpeg4, non_intra_matrix);
-    for (i = 0; i < 16; i++) {
+    for (i = 0; i < ARRAY_SIZE(mpeg4->ref); i++) {
         vbuf = virgl_video_buffer(mpeg4->ref[i]);
         vmpeg4->ref[i] = vbuf ? vbuf->handle : 0;
     }