V4L/DVB (3766): Correct buffer size calculations in cx88-core.c

The computation in cx88_risc_buffer suffers from the mistake:
a non-zero padding value can cause more page borders to be crossed,
leading to big buffer over-runs.  
This patch changes the additive constant from 3 + 4 to 4
It also changees the constant in cx88_risc_databuffer from 3 + 4 to 2,
because 2 dwords are the correct vaule.
Signed-off-by: Duncan Sands <baldrick@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

drivers/media/video/cx88/cx88-core.c

@@ -146,9 +146,11 @@ int cx88_risc_buffer(struct pci_dev *pci, struct btcx_riscmem *risc,
 		fields++;
 
 	/* estimate risc mem: worst case is one write per page border +
-	   one write per scan line + syncs + jump (all 2 dwords) */
-	instructions  = (bpl * lines * fields) / PAGE_SIZE + lines * fields;
-	instructions += 3 + 4;
+	   one write per scan line + syncs + jump (all 2 dwords).  Padding
+	   can cause next bpl to start close to a page border.  First DMA
+	   region may be smaller than PAGE_SIZE */
+	instructions  = fields * (1 + ((bpl + padding) * lines) / PAGE_SIZE + lines);
+	instructions += 2;
 	if ((rc = btcx_riscmem_alloc(pci,risc,instructions*8)) < 0)
 		return rc;
 
@@ -176,9 +178,11 @@ int cx88_risc_databuffer(struct pci_dev *pci, struct btcx_riscmem *risc,
 	int rc;
 
 	/* estimate risc mem: worst case is one write per page border +
-	   one write per scan line + syncs + jump (all 2 dwords) */
-	instructions  = (bpl * lines) / PAGE_SIZE + lines;
-	instructions += 3 + 4;
+	   one write per scan line + syncs + jump (all 2 dwords).  Here
+	   there is no padding and no sync.  First DMA region may be smaller
+	   than PAGE_SIZE */
+	instructions  = 1 + (bpl * lines) / PAGE_SIZE + lines;
+	instructions += 1;
 	if ((rc = btcx_riscmem_alloc(pci,risc,instructions*8)) < 0)
 		return rc;