Mesa (master): i915: out-of-bounds write in calc_live_regs()
Chris Wilson
ickle at kemper.freedesktop.org
Fri Sep 30 21:14:31 UTC 2011
Module: Mesa
Branch: master
Commit: 67582e6eef789324b527b4753065aea366145f4e
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=67582e6eef789324b527b4753065aea366145f4e
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Fri Sep 30 22:10:33 2011 +0100
i915: out-of-bounds write in calc_live_regs()
>From a Coverity defect report.
src/mesa/drivers/dri/i915/i915_fragprog.c
301 /*
302 * TODO: consider moving this into core
303 */
304 static bool calc_live_regs( struct i915_fragment_program *p )
305 {
306 const struct gl_fragment_program *program = &p->FragProg;
307 GLuint regsUsed = 0xffff0000;
-> 308 uint8_t live_components[16] = { 0, };
309 GLint i;
310
311 for (i = program->Base.NumInstructions - 1; i >= 0; i--) {
312 struct prog_instruction *inst =
&program->Base.Instructions[i];
313 int opArgs = _mesa_num_inst_src_regs(inst->Opcode);
314 int a;
315
316 /* Register is written to: unmark as live for this and
preceeding ops */
317 if (inst->DstReg.File == PROGRAM_TEMPORARY) {
-> 318 if (inst->DstReg.Index > 16)
319 return false;
320
-> 321 live_components[inst->DstReg.Index] &= ~inst->DstReg.WriteMask;
322 if (live_components[inst->DstReg.Index] == 0)
323 regsUsed &= ~(1 << inst->DstReg.Index);
324 }
325
326 for (a = 0; a < opArgs; a++) {
327 /* Register is read from: mark as live for this and preceeding ops */
328 if (inst->SrcReg[a].File == PROGRAM_TEMPORARY) {
329 unsigned c;
330
331 if (inst->SrcReg[a].Index > 16)
332 return false;
333
334 regsUsed |= 1 << inst->SrcReg[a].Index;
335
336 for (c = 0; c < 4; c++) {
337 const unsigned field = GET_SWZ(inst->SrcReg[a].Swizzle, c);
338
339 if (field <= SWIZZLE_W)
340 live_components[inst->SrcReg[a].Index] |= (1U << field);
341 }
342 }
343 }
344
345 p->usedRegs[i] = regsUsed;
346 }
Reported-by: Vinson Lee <vlee at vmware.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=40022
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
---
src/mesa/drivers/dri/i915/i915_fragprog.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/mesa/drivers/dri/i915/i915_fragprog.c b/src/mesa/drivers/dri/i915/i915_fragprog.c
index d155b85..e155d16 100644
--- a/src/mesa/drivers/dri/i915/i915_fragprog.c
+++ b/src/mesa/drivers/dri/i915/i915_fragprog.c
@@ -304,8 +304,8 @@ do { \
static bool calc_live_regs( struct i915_fragment_program *p )
{
const struct gl_fragment_program *program = &p->FragProg;
- GLuint regsUsed = 0xffff0000;
- uint8_t live_components[16] = { 0, };
+ GLuint regsUsed = ~((1 << I915_MAX_TEMPORARY) - 1);
+ uint8_t live_components[I915_MAX_TEMPORARY] = { 0, };
GLint i;
for (i = program->Base.NumInstructions - 1; i >= 0; i--) {
@@ -315,7 +315,7 @@ static bool calc_live_regs( struct i915_fragment_program *p )
/* Register is written to: unmark as live for this and preceeding ops */
if (inst->DstReg.File == PROGRAM_TEMPORARY) {
- if (inst->DstReg.Index > 16)
+ if (inst->DstReg.Index >= I915_MAX_TEMPORARY)
return false;
live_components[inst->DstReg.Index] &= ~inst->DstReg.WriteMask;
@@ -328,7 +328,7 @@ static bool calc_live_regs( struct i915_fragment_program *p )
if (inst->SrcReg[a].File == PROGRAM_TEMPORARY) {
unsigned c;
- if (inst->SrcReg[a].Index > 16)
+ if (inst->SrcReg[a].Index >= I915_MAX_TEMPORARY)
return false;
regsUsed |= 1 << inst->SrcReg[a].Index;
More information about the mesa-commit
mailing list