[Bug 107544] intel/decoder: out of bounds group_iter

Fri Aug 10 11:37:50 UTC 2018

https://bugs.freedesktop.org/show_bug.cgi?id=107544

            Bug ID: 107544
           Summary: intel/decoder: out of bounds group_iter
           Product: Mesa
           Version: 18.2
          Hardware: Other
                OS: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Drivers/DRI/i965
          Assignee: intel-3d-bugs at lists.freedesktop.org
          Reporter: andrey.simiklit at gmail.com
        QA Contact: intel-3d-bugs at lists.freedesktop.org

The "gen_group_get_length" function returns int
but the "iter_group_offset_bits" function returns uint32_t
So uint32_t(int(-32)) = 0xFFFFFFE0U and it looks like unexpected behavior for
me:
iter_group_offset_bits(iter, iter->group_iter + 1) < 0xFFFFFFE0U

This behavior lead my program to crash because 'group_iter' go out of bounds 
when it prints BLEND_STATE on HSW.

I suggested the following solution for it:
https://patchwork.freedesktop.org/patch/243647/

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20180810/7169bf7d/attachment.html>