[Mesa-dev] [Bug 53199] New: out-of-bounds read src/gallium/drivers/softpipe/sp_flush.c:59
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Aug 6 23:59:00 PDT 2012
https://bugs.freedesktop.org/show_bug.cgi?id=53199
Bug #: 53199
Summary: out-of-bounds read
src/gallium/drivers/softpipe/sp_flush.c:59
Classification: Unclassified
Product: Mesa
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: medium
Component: Other
AssignedTo: mesa-dev at lists.freedesktop.org
ReportedBy: vlee at freedesktop.org
CC: brianp at vmware.com
mesa: 7d65356d8a4d268dce4c933d7704d709e1cdacfa (master)
Coverity reports a out-of-bounds read defect.
44void
45softpipe_flush( struct pipe_context *pipe,
46 unsigned flags,
47 struct pipe_fence_handle **fence )
48{
49 struct softpipe_context *softpipe = softpipe_context(pipe);
50 uint i;
51
52 draw_flush(softpipe->draw);
53
At (1): Condition "flags & 2U", taking true branch
54 if (flags & SP_FLUSH_TEXTURE_CACHE) {
55 unsigned sh;
56
At (2): Condition "sh < 4U", taking true branch
At (9): Condition "sh < 4U", taking true branch
At (16): Condition "sh < 4U", taking true branch
57 for (sh = 0; sh < PIPE_SHADER_TYPES; sh++) {
At (3): Condition "i < softpipe->num_sampler_views[sh]", taking true branch
At (5): Condition "i < softpipe->num_sampler_views[sh]", taking true branch
At (7): Condition "i < softpipe->num_sampler_views[sh]", taking false branch
At (10): Condition "i < softpipe->num_sampler_views[sh]", taking true branch
At (12): Condition "i < softpipe->num_sampler_views[sh]", taking true branch
At (14): Condition "i < softpipe->num_sampler_views[sh]", taking false branch
At (17): Condition "i < softpipe->num_sampler_views[sh]", taking true branch
58 for (i = 0; i < softpipe->num_sampler_views[sh]; i++) {
CID 714585: Out-of-bounds read (OVERRUN) [select defect]
CID 714587: Out-of-bounds read (OVERRUN_STATIC)
At (18): Overrunning static array "softpipe->tex_cache", with 3 elements, at
position 3 with index variable "sh".
59 sp_flush_tex_tile_cache(softpipe->tex_cache[sh][i]);
At (4): Jumping back to the beginning of the loop
At (6): Jumping back to the beginning of the loop
At (11): Jumping back to the beginning of the loop
At (13): Jumping back to the beginning of the loop
60 }
At (8): Jumping back to the beginning of the loop
At (15): Jumping back to the beginning of the loop
61 }
62 }
src/gallium/include/pipe/p_defines.h
347 /**
348 * Shaders
349 */
350 #define PIPE_SHADER_VERTEX 0
351 #define PIPE_SHADER_FRAGMENT 1
352 #define PIPE_SHADER_GEOMETRY 2
353 #define PIPE_SHADER_COMPUTE 3
354 #define PIPE_SHADER_TYPES 4
src/gallium/drivers/softpipe/sp_context.h
180 /*
181 * Texture caches for vertex, fragment, geometry stages.
182 * Don't use PIPE_SHADER_TYPES here to avoid allocating unused
memory
183 * for compute shaders.
184 */
185 struct softpipe_tex_tile_cache
*tex_cache[PIPE_SHADER_GEOMETRY+1][PIPE_MAX_SAMPLERS];
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the mesa-dev
mailing list