<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - intel/decoder: out of bounds group_iter" href="https://bugs.freedesktop.org/show_bug.cgi?id=107544">107544</a> </td> </tr> <tr> <th>Summary</th> <td>intel/decoder: out of bounds group_iter </td> </tr> <tr> <th>Product</th> <td>Mesa </td> </tr> <tr> <th>Version</th> <td>18.2 </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>Linux (All) </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>Drivers/DRI/i965 </td> </tr> <tr> <th>Assignee</th> <td>intel-3d-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>andrey.simiklit@gmail.com </td> </tr> <tr> <th>QA Contact</th> <td>intel-3d-bugs@lists.freedesktop.org </td> </tr></table> <p> <div> <pre>The "gen_group_get_length" function returns int but the "iter_group_offset_bits" function returns uint32_t So uint32_t(int(-32)) = 0xFFFFFFE0U and it looks like unexpected behavior for me: iter_group_offset_bits(iter, iter->group_iter + 1) < 0xFFFFFFE0U This behavior lead my program to crash because 'group_iter' go out of bounds when it prints BLEND_STATE on HSW. I suggested the following solution for it: <a href="https://patchwork.freedesktop.org/patch/243647/">https://patchwork.freedesktop.org/patch/243647/</a></pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the QA Contact for the bug.</li> <li>You are the assignee for the bug.</li> </ul> </body> </html>