Mesa (master): mesa: fix out of bounds memory read in mipmap gen code

[Brian Paul]

Module: Mesa
Branch: master
Commit: 4ff3467daf0ac07e4295c7d2e2ad3c3c8c89dff6
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=4ff3467daf0ac07e4295c7d2e2ad3c3c8c89dff6

Author: Brian Paul <brianp at vmware.com>
Date:   Wed Sep  1 13:21:51 2010 -0600

mesa: fix out of bounds memory read in mipmap gen code

Out of bounds reads could happen for reducing WxH to WxH/2
or WxH to W/2xH.

Fixes fd.o bug 29918.

---

 src/mesa/main/mipmap.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/mesa/main/mipmap.c b/src/mesa/main/mipmap.c
index c0c29f7..678d17a 100644
--- a/src/mesa/main/mipmap.c
+++ b/src/mesa/main/mipmap.c
@@ -1005,21 +1005,28 @@ make_2d_mipmap(GLenum datatype, GLuint comps, GLint border,
    const GLint dstRowBytes = bpt * dstRowStride;
    const GLubyte *srcA, *srcB;
    GLubyte *dst;
-   GLint row;
+   GLint row, srcRowStep;
 
    /* Compute src and dst pointers, skipping any border */
    srcA = srcPtr + border * ((srcWidth + 1) * bpt);
-   if (srcHeight > 1) 
+   if (srcHeight > 1 && srcHeight > dstHeight) {
+      /* sample from two source rows */
       srcB = srcA + srcRowBytes;
-   else
+      srcRowStep = 2;
+   }
+   else {
+      /* sample from one source row */
       srcB = srcA;
+      srcRowStep = 1;
+   }
+
    dst = dstPtr + border * ((dstWidth + 1) * bpt);
 
    for (row = 0; row < dstHeightNB; row++) {
       do_row(datatype, comps, srcWidthNB, srcA, srcB,
              dstWidthNB, dst);
-      srcA += 2 * srcRowBytes;
-      srcB += 2 * srcRowBytes;
+      srcA += srcRowStep * srcRowBytes;
+      srcB += srcRowStep * srcRowBytes;
       dst += dstRowBytes;
    }