From 5c2f6d3f8e8bdabf93ceb6e5c34e4fffa865bd41 Mon Sep 17 00:00:00 2001
From: Feng Jiang <jiangfeng@kylinos.cn>
Date: Mon, 22 May 2023 14:27:25 +0800
Subject: [PATCH] virgl/video: Fix out-of-bounds access in
 fill_mpeg4_picture_desc()

An out-of-bounds access has occurred to array ref[2] and it needs
to be fixed.

Fixes: 6b5aecb19558 ("virgl: add support for hardware video acceleration")
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
Reviewed-by: Gert Wollny <gert.wollny@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23160>
---
 src/gallium/drivers/virgl/virgl_video.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gallium/drivers/virgl/virgl_video.c b/src/gallium/drivers/virgl/virgl_video.c
index a23583e..1924288 100644
--- a/src/gallium/drivers/virgl/virgl_video.c
+++ b/src/gallium/drivers/virgl/virgl_video.c
@@ -551,7 +551,7 @@ static int fill_mpeg4_picture_desc(const struct pipe_picture_desc *desc,
     ITEM_SET(vmpeg4, mpeg4, top_field_first);
     ITEM_CPY(vmpeg4, mpeg4, intra_matrix);
     ITEM_CPY(vmpeg4, mpeg4, non_intra_matrix);
-    for (i = 0; i < 16; i++) {
+    for (i = 0; i < ARRAY_SIZE(mpeg4->ref); i++) {
         vbuf = virgl_video_buffer(mpeg4->ref[i]);
         vmpeg4->ref[i] = vbuf ? vbuf->handle : 0;
     }
-- 
2.7.4