[Bug 107544] intel/decoder: out of bounds group_iter
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Aug 13 15:54:53 UTC 2018
https://bugs.freedesktop.org/show_bug.cgi?id=107544
--- Comment #4 from asimiklit <andrey.simiklit at gmail.com> ---
Created attachment 141069
--> https://bugs.freedesktop.org/attachment.cgi?id=141069&action=edit
simple reproducer
(In reply to Lionel Landwerlin from comment #3)
> Could you attach the file that is causing the crash?
> Thanks!
Hi,
The simple reproducer is attached.
I think that my patch can help avoid some issues
with new command types in "batchbuffer" in the future.
But it is not enough to fix this issue.
As far as I understood currently the decoder tries to determine
the length of the structure BLEND_STATE based on command type.
But BLEND_STATE is placed in "statebuffer" and
does not have any headers just a data.
We create the following structure in gen_decoder.c:387
struct gen_group *group = create_group(ctx, "", atts, ctx->group, false);
previous_group->next = group;//previous_group->name is "BLEND_STATE"
with the following settings:
group->fixed_length is false
and
group->variable is true
That is why we tried to determine the length based on command type.
Is it expected behavior?
Regards,
Andrii.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20180813/f44ae164/attachment.html>
More information about the intel-3d-bugs
mailing list