Mesa (master): i915: Bail when the fragment program has too many total instructions.
Eric Anholt
anholt at kemper.freedesktop.org
Thu Oct 1 22:08:05 UTC 2009
Module: Mesa
Branch: master
Commit: 4ff816751f74b0645c198372937eec589c458a60
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=4ff816751f74b0645c198372937eec589c458a60
Author: Eric Anholt <eric at anholt.net>
Date: Wed Jul 29 22:39:15 2009 -0700
i915: Bail when the fragment program has too many total instructions.
Previously, we'd go trashing the heap.
---
src/mesa/drivers/dri/i915/i915_program.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/src/mesa/drivers/dri/i915/i915_program.c b/src/mesa/drivers/dri/i915/i915_program.c
index 85a1b0c..6ccc9ee 100644
--- a/src/mesa/drivers/dri/i915/i915_program.c
+++ b/src/mesa/drivers/dri/i915/i915_program.c
@@ -186,6 +186,11 @@ i915_emit_arith(struct i915_fragment_program * p,
p->utemp_flag = old_utemp_flag; /* restore */
}
+ if (p->csr >= p->program + I915_PROGRAM_SIZE) {
+ i915_program_error(p, "Program contains too many instructions");
+ return UREG_BAD;
+ }
+
*(p->csr++) = (op | A0_DEST(dest) | mask | saturate | A0_SRC0(src0));
*(p->csr++) = (A1_SRC0(src0) | A1_SRC1(src1));
*(p->csr++) = (A2_SRC1(src1) | A2_SRC2(src2));
@@ -270,6 +275,11 @@ GLuint i915_emit_texld( struct i915_fragment_program *p,
p->register_phases[GET_UREG_NR(coord)] == p->nr_tex_indirect)
p->nr_tex_indirect++;
+ if (p->csr >= p->program + I915_PROGRAM_SIZE) {
+ i915_program_error(p, "Program contains too many instructions");
+ return UREG_BAD;
+ }
+
*(p->csr++) = (op |
T0_DEST( dest ) |
T0_SAMPLER( sampler ));
More information about the mesa-commit
mailing list