From: Feng Jiang <jiangfeng@kylinos.cn>
Date: Mon, 22 May 2023 06:27:25 +0000 (+0800)
Subject: virgl/video: Fix out-of-bounds access in fill_mpeg4_picture_desc()
X-Git-Tag: upstream/23.3.3~5805
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5c2f6d3f8e8bdabf93ceb6e5c34e4fffa865bd41;p=platform%2Fupstream%2Fmesa.git

virgl/video: Fix out-of-bounds access in fill_mpeg4_picture_desc()

An out-of-bounds access has occurred to array ref[2] and it needs
to be fixed.

Fixes: 6b5aecb19558 ("virgl: add support for hardware video acceleration")
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
Reviewed-by: Gert Wollny <gert.wollny@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23160>
---

diff --git a/src/gallium/drivers/virgl/virgl_video.c b/src/gallium/drivers/virgl/virgl_video.c
index a23583e..1924288 100644
--- a/src/gallium/drivers/virgl/virgl_video.c
+++ b/src/gallium/drivers/virgl/virgl_video.c
@@ -551,7 +551,7 @@ static int fill_mpeg4_picture_desc(const struct pipe_picture_desc *desc,
     ITEM_SET(vmpeg4, mpeg4, top_field_first);
     ITEM_CPY(vmpeg4, mpeg4, intra_matrix);
     ITEM_CPY(vmpeg4, mpeg4, non_intra_matrix);
-    for (i = 0; i < 16; i++) {
+    for (i = 0; i < ARRAY_SIZE(mpeg4->ref); i++) {
         vbuf = virgl_video_buffer(mpeg4->ref[i]);
         vmpeg4->ref[i] = vbuf ? vbuf->handle : 0;
     }