vc1: fix bitplane buffer size (SNB, IVB).

This fixes buffer overflow in the newly allocated Gen buffer that holds
VC-1 bitplanes.

Signed-off-by: Gwenole Beauchesne <gwenole.beauchesne@intel.com>

diff --git a/NEWS b/NEWS
index 8c5ac97..806ad43 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ libva-driver-intel NEWS -- summary of changes.  2012-02-DD
 Copyright (C) 2009-2011 Intel Corporation
 
 Version 1.0.16 - DD.Feb.2012
+* Fix VC-1 bitplane buffer size (SNB, IVB)
 * Fix VC-1 motion vector modes for Ivy Bridge
 * Fix MFX_QM_STATE for H.264 flat scaling lists (IVB)
 * Fix and simplify AVC_REF_IDX_STATE setup (ILK, SNB, IVB)

diff --git a/src/gen6_mfd.c b/src/gen6_mfd.c
index 8280771..c87a65f 100644 (file)
--- a/src/gen6_mfd.c
+++ b/src/gen6_mfd.c
@@ -1502,7 +1502,7 @@ gen6_mfd_vc1_decode_init(VADriverContextP ctx,
 
         bo = dri_bo_alloc(i965->intel.bufmgr,
                           "VC-1 Bitplane",
-                          bitplane_width * bitplane_width,
+                          bitplane_width * height_in_mbs,
                           0x1000);
         assert(bo);
         gen6_mfd_context->bitplane_read_buffer.bo = bo;

diff --git a/src/gen7_mfd.c b/src/gen7_mfd.c
index 02047c1..7b89e1c 100644 (file)
--- a/src/gen7_mfd.c
+++ b/src/gen7_mfd.c
@@ -1469,7 +1469,7 @@ gen7_mfd_vc1_decode_init(VADriverContextP ctx,
 
         bo = dri_bo_alloc(i965->intel.bufmgr,
                           "VC-1 Bitplane",
-                          bitplane_width * bitplane_width,
+                          bitplane_width * height_in_mbs,
                           0x1000);
         assert(bo);
         gen7_mfd_context->bitplane_read_buffer.bo = bo;