Mesa (master): nvc0: fix out of bounds writes for unaligned sizes in push_data
Christoph Bumiller
chrisbmr at kemper.freedesktop.org
Tue Jan 8 15:14:36 UTC 2013
Module: Mesa
Branch: master
Commit: 076f4ced8b7bbf2074cf932e653b1da6db2e2380
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=076f4ced8b7bbf2074cf932e653b1da6db2e2380
Author: Christoph Bumiller <e0425955 at student.tuwien.ac.at>
Date: Tue Jan 8 13:46:24 2013 +0100
nvc0: fix out of bounds writes for unaligned sizes in push_data
---
src/gallium/drivers/nvc0/nvc0_transfer.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/gallium/drivers/nvc0/nvc0_transfer.c b/src/gallium/drivers/nvc0/nvc0_transfer.c
index 66753c9..16467ce 100644
--- a/src/gallium/drivers/nvc0/nvc0_transfer.c
+++ b/src/gallium/drivers/nvc0/nvc0_transfer.c
@@ -201,7 +201,7 @@ nvc0_m2mf_push_linear(struct nouveau_context *nv,
PUSH_DATAh(push, dst->offset + offset);
PUSH_DATA (push, dst->offset + offset);
BEGIN_NVC0(push, NVC0_M2MF(LINE_LENGTH_IN), 2);
- PUSH_DATA (push, nr * 4);
+ PUSH_DATA (push, MIN2(size, nr * 4));
PUSH_DATA (push, 1);
BEGIN_NVC0(push, NVC0_M2MF(EXEC), 1);
PUSH_DATA (push, 0x100111);
@@ -213,6 +213,7 @@ nvc0_m2mf_push_linear(struct nouveau_context *nv,
count -= nr;
src += nr;
offset += nr * 4;
+ size -= nr * 4;
}
nouveau_bufctx_reset(nvc0->bufctx, 0);
@@ -246,7 +247,7 @@ nve4_p2mf_push_linear(struct nouveau_context *nv,
PUSH_DATAh(push, dst->offset + offset);
PUSH_DATA (push, dst->offset + offset);
BEGIN_NVC0(push, NVE4_P2MF(LINE_LENGTH_IN), 2);
- PUSH_DATA (push, nr * 4);
+ PUSH_DATA (push, MIN2(size, nr * 4));
PUSH_DATA (push, 1);
/* must not be interrupted (trap on QUERY fence, 0x50 works however) */
BEGIN_1IC0(push, NVE4_P2MF(EXEC), nr + 1);
@@ -256,6 +257,7 @@ nve4_p2mf_push_linear(struct nouveau_context *nv,
count -= nr;
src += nr;
offset += nr * 4;
+ size -= nr * 4;
}
nouveau_bufctx_reset(nvc0->bufctx, 0);
More information about the mesa-commit
mailing list