<p dir="ltr"><br>
On Aug 31, 2015 6:48 AM, "Chris Wilson" <<a href="mailto:chris@chris-wilson.co.uk">chris@chris-wilson.co.uk</a>> wrote:<br>
><br>
> From: Jason Ekstrand <<a href="mailto:jason.ekstrand@intel.com">jason.ekstrand@intel.com</a>><br>
><br>
> If the user is specifying a subregion of a buffer using SKIP_ROWS and<br>
> SKIP_PIXELS, we must compute the buffer size carefully as the end of the<br>
> last row may be much shorter than stride*image_height*depth. The current<br>
> code tries to memcpy from beyond the end of the user data, for example<br>
> causing:<br>
><br>
> ==28136== Invalid read of size 8<br>
> ==28136== at 0x4C2D94E: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)<br>
> ==28136== by 0xB4ADFE3: brw_bo_write (brw_batch.c:1856)<br>
> ==28136== by 0xB5B3531: brw_buffer_data (intel_buffer_objects.c:208)<br>
> ==28136== by 0xB0F6275: _mesa_buffer_data (bufferobj.c:1600)<br>
> ==28136== by 0xB0F6346: _mesa_BufferData (bufferobj.c:1631)<br>
> ==28136== by 0xB37A1EE: create_texture_for_pbo (meta_tex_subimage.c:103)<br>
> ==28136== by 0xB37A467: _mesa_meta_pbo_TexSubImage (meta_tex_subimage.c:176)<br>
> ==28136== by 0xB5C8D61: intelTexSubImage (intel_tex_subimage.c:195)<br>
> ==28136== by 0xB254AB4: _mesa_texture_sub_image (teximage.c:3654)<br>
> ==28136== by 0xB254C9F: texsubimage (teximage.c:3712)<br>
> ==28136== by 0xB2550E9: _mesa_TexSubImage2D (teximage.c:3853)<br>
> ==28136== by 0x401CA0: UploadTexSubImage2D (teximage.c:171)<br>
> ==28136== Address 0xd8bfbe0 is 0 bytes after a block of size 1,024 alloc'd<br>
> ==28136== at 0x4C28C20: malloc (vg_replace_malloc.c:296)<br>
> ==28136== by 0x402014: PerfDraw (teximage.c:270)<br>
> ==28136== by 0x402648: Draw (glmain.c:182)<br>
> ==28136== by 0x8385E63: ??? (in /usr/lib/x86_64-linux-gnu/libglut.so.3.9.0)<br>
> ==28136== by 0x83896C8: fgEnumWindows (in /usr/lib/x86_64-linux-gnu/libglut.so.3.9.0)<br>
> ==28136== by 0x838641C: glutMainLoopEvent (in /usr/lib/x86_64-linux-gnu/libglut.so.3.9.0)<br>
> ==28136== by 0x8386C1C: glutMainLoop (in /usr/lib/x86_64-linux-gnu/libglut.so.3.9.0)<br>
> ==28136== by 0x4019C1: main (glmain.c:262)<br>
> ==28136==<br>
> ==28136== Invalid read of size 8<br>
> ==28136== at 0x4C2D940: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)<br>
> ==28136== by 0xB4ADFE3: brw_bo_write (brw_batch.c:1856)<br>
> ==28136== by 0xB5B3531: brw_buffer_data (intel_buffer_objects.c:208)<br>
> ==28136== by 0xB0F6275: _mesa_buffer_data (bufferobj.c:1600)<br>
> ==28136== by 0xB0F6346: _mesa_BufferData (bufferobj.c:1631)<br>
> ==28136== by 0xB37A1EE: create_texture_for_pbo (meta_tex_subimage.c:103)<br>
> ==28136== by 0xB37A467: _mesa_meta_pbo_TexSubImage (meta_tex_subimage.c:176)<br>
> ==28136== by 0xB5C8D61: intelTexSubImage (intel_tex_subimage.c:195)<br>
> ==28136== by 0xB254AB4: _mesa_texture_sub_image (teximage.c:3654)<br>
> ==28136== by 0xB254C9F: texsubimage (teximage.c:3712)<br>
> ==28136== by 0xB2550E9: _mesa_TexSubImage2D (teximage.c:3853)<br>
> ==28136== by 0x401CA0: UploadTexSubImage2D (teximage.c:171)<br>
> ==28136== Address 0xd8bfbe8 is 8 bytes after a block of size 1,024 alloc'd<br>
> ==28136== at 0x4C28C20: malloc (vg_replace_malloc.c:296)<br>
> ==28136== by 0x402014: PerfDraw (teximage.c:270)<br>
> ==28136== by 0x402648: Draw (glmain.c:182)<br>
> ==28136== by 0x8385E63: ??? (in /usr/lib/x86_64-linux-gnu/libglut.so.3.9.0)<br>
> ==28136== by 0x83896C8: fgEnumWindows (in /usr/lib/x86_64-linux-gnu/libglut.so.3.9.0)<br>
> ==28136== by 0x838641C: glutMainLoopEvent (in /usr/lib/x86_64-linux-gnu/libglut.so.3.9.0)<br>
> ==28136== by 0x8386C1C: glutMainLoop (in /usr/lib/x86_64-linux-gnu/libglut.so.3.9.0)<br>
> ==28136== by 0x4019C1: main (glmain.c:262)<br>
> ==28136==<br>
><br>
> Fixes: 7f396189f073d626c5f7a2c232dac92b65f5a23f</p>
<p dir="ltr">How can this fix a SHA? What repo is this SHA in?</p>
<p dir="ltr">> Cc: Jason Ekstrand <<a href="mailto:jason.ekstrand@intel.com">jason.ekstrand@intel.com</a>><br>
> Cc: Neil Roberts <<a href="mailto:neil@linux.intel.com">neil@linux.intel.com</a>><br>
> ---<br>
> src/mesa/drivers/common/meta_tex_subimage.c | 35 +++++++++++++++++------------<br>
> 1 file changed, 21 insertions(+), 14 deletions(-)<br>
><br>
> diff --git a/src/mesa/drivers/common/meta_tex_subimage.c b/src/mesa/drivers/common/meta_tex_subimage.c<br>
> index 16d8f5d..e2351c6 100644<br>
> --- a/src/mesa/drivers/common/meta_tex_subimage.c<br>
> +++ b/src/mesa/drivers/common/meta_tex_subimage.c<br>
> @@ -46,8 +46,9 @@<br>
> #include "varray.h"<br>
><br>
> static struct gl_texture_image *<br>
> -create_texture_for_pbo(struct gl_context *ctx, bool create_pbo,<br>
> - GLenum pbo_target, int width, int height,<br>
> +create_texture_for_pbo(struct gl_context *ctx,<br>
> + bool create_pbo, GLenum pbo_target,<br>
> + int dims, int width, int height, int depth,<br>
> GLenum format, GLenum type, const void *pixels,<br>
> const struct gl_pixelstore_attrib *packing,<br>
> GLuint *tmp_pbo, GLuint *tmp_tex)<br>
> @@ -73,8 +74,12 @@ create_texture_for_pbo(struct gl_context *ctx, bool create_pbo,<br>
> return NULL;<br>
><br>
> /* Account for SKIP_PIXELS, SKIP_ROWS, ALIGNMENT, and SKIP_IMAGES */<br>
> - pixels = _mesa_image_address3d(packing, pixels,<br>
> - width, height, format, type, 0, 0, 0);<br>
> + uint32_t first_pixel = _mesa_image_offset(dims, packing, width, height,<br>
> + format, type,<br>
> + 0, 0, 0);<br>
> + uint32_t last_pixel = _mesa_image_offset(dims, packing, width, height,</p>
<p dir="ltr">We should probably use size_t or ptrdiff_t here instead of uint32_t.</p>
<p dir="ltr">> + format, type,<br>
> + depth-1, height-1, width);<br>
> row_stride = _mesa_image_row_stride(packing, width, format, type);<br>
><br>
> if (_mesa_is_bufferobj(packing->BufferObj)) {<br>
> @@ -97,14 +102,18 @@ create_texture_for_pbo(struct gl_context *ctx, bool create_pbo,<br>
> * data to avoid unnecessary data copying in _mesa_BufferData().<br>
> */<br>
> if (is_pixel_pack)<br>
> - _mesa_BufferData(pbo_target, row_stride * height, NULL,<br>
> + _mesa_BufferData(pbo_target,<br>
> + last_pixel - first_pixel,<br>
> + NULL,</p>
<p dir="ltr">I'm trying to decide if the null here is correct... It's certainly the same as what we had before but I have a nagging feeling that this should be (void *)first_pixel.</p>
<p dir="ltr">Other than that I really like the approach. It's nice and clean and guarantees that we get the right size.</p>
<p dir="ltr">> GL_STREAM_READ);<br>
> else<br>
> - _mesa_BufferData(pbo_target, row_stride * height, pixels,<br>
> + _mesa_BufferData(pbo_target,<br>
> + last_pixel - first_pixel,<br>
> + (char *)pixels + first_pixel,<br>
> GL_STREAM_DRAW);<br>
><br>
> buffer_obj = packing->BufferObj;<br>
> - pixels = NULL;<br>
> + first_pixel = 0;<br>
><br>
> _mesa_BindBuffer(pbo_target, 0);<br>
> }<br>
> @@ -126,7 +135,7 @@ create_texture_for_pbo(struct gl_context *ctx, bool create_pbo,<br>
> read_only = pbo_target == GL_PIXEL_UNPACK_BUFFER;<br>
> if (!ctx->Driver.SetTextureStorageForBufferObject(ctx, tex_obj,<br>
> buffer_obj,<br>
> - (intptr_t)pixels,<br>
> + first_pixel,<br>
> row_stride,<br>
> read_only)) {<br>
> _mesa_DeleteTextures(1, tmp_tex);<br>
> @@ -147,7 +156,7 @@ _mesa_meta_pbo_TexSubImage(struct gl_context *ctx, GLuint dims,<br>
> const struct gl_pixelstore_attrib *packing)<br>
> {<br>
> GLuint pbo = 0, pbo_tex = 0, fbos[2] = { 0, 0 };<br>
> - int full_height, image_height;<br>
> + int image_height;<br>
> struct gl_texture_image *pbo_tex_image;<br>
> GLenum status;<br>
> bool success = false;<br>
> @@ -171,11 +180,10 @@ _mesa_meta_pbo_TexSubImage(struct gl_context *ctx, GLuint dims,<br>
> * property.<br>
> */<br>
> image_height = packing->ImageHeight == 0 ? height : packing->ImageHeight;<br>
> - full_height = image_height * (depth - 1) + height;<br>
><br>
> pbo_tex_image = create_texture_for_pbo(ctx, create_pbo,<br>
> GL_PIXEL_UNPACK_BUFFER,<br>
> - width, full_height,<br>
> + dims, width, height, depth,<br>
> format, type, pixels, packing,<br>
> &pbo, &pbo_tex);<br>
> if (!pbo_tex_image)<br>
> @@ -277,7 +285,7 @@ _mesa_meta_pbo_GetTexSubImage(struct gl_context *ctx, GLuint dims,<br>
> const struct gl_pixelstore_attrib *packing)<br>
> {<br>
> GLuint pbo = 0, pbo_tex = 0, fbos[2] = { 0, 0 };<br>
> - int full_height, image_height;<br>
> + int image_height;<br>
> struct gl_texture_image *pbo_tex_image;<br>
> struct gl_renderbuffer *rb = NULL;<br>
> GLenum dstBaseFormat = _mesa_unpack_format_to_base_format(format);<br>
> @@ -324,10 +332,9 @@ _mesa_meta_pbo_GetTexSubImage(struct gl_context *ctx, GLuint dims,<br>
> * property.<br>
> */<br>
> image_height = packing->ImageHeight == 0 ? height : packing->ImageHeight;<br>
> - full_height = image_height * (depth - 1) + height;<br>
><br>
> pbo_tex_image = create_texture_for_pbo(ctx, false, GL_PIXEL_PACK_BUFFER,<br>
> - width, full_height * depth,<br>
> + dims, width, height, depth,<br>
> format, type, pixels, packing,<br>
> &pbo, &pbo_tex);<br>
> if (!pbo_tex_image)<br>
> --<br>
> 2.5.1<br>
><br>
> _______________________________________________<br>
> mesa-dev mailing list<br>
> <a href="mailto:mesa-dev@lists.freedesktop.org">mesa-dev@lists.freedesktop.org</a><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/mesa-dev">http://lists.freedesktop.org/mailman/listinfo/mesa-dev</a><br>
</p>