[Bug 107544] intel/decoder: out of bounds group_iter

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Aug 13 15:54:53 UTC 2018


--- Comment #4 from asimiklit <andrey.simiklit at gmail.com> ---
Created attachment 141069
  --> https://bugs.freedesktop.org/attachment.cgi?id=141069&action=edit
simple reproducer

(In reply to Lionel Landwerlin from comment #3)
> Could you attach the file that is causing the crash?
> Thanks!


The simple reproducer is attached.
I think that my patch can help avoid some issues
with new command types in "batchbuffer" in the future. 
But it is not enough to fix this issue. 
As far as I understood currently the decoder tries to determine
the length of the structure BLEND_STATE based on command type. 
But BLEND_STATE is placed in "statebuffer" and 
does not have any headers just a data.

We create the following structure in gen_decoder.c:387

struct gen_group *group = create_group(ctx, "", atts, ctx->group, false);
previous_group->next = group;//previous_group->name is "BLEND_STATE"

with the following settings:

group->fixed_length is false


group->variable is true

That is why we tried to determine the length based on command type. 
Is it expected behavior?


You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20180813/f44ae164/attachment.html>

More information about the intel-3d-bugs mailing list