Mesa (8.0): svga: fix invalid memory reference in needs_to_create_zero()

Ian Romanick idr at kemper.freedesktop.org
Sat Oct 13 03:07:54 UTC 2012 

Module: Mesa
Branch: 8.0
Commit: ea1ec0e4b8206ac1fbad8b06cee989dc02ae1202
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=ea1ec0e4b8206ac1fbad8b06cee989dc02ae1202

Author: Brian Paul <brianp at vmware.com>
Date:   Thu Jul 26 13:26:17 2012 -0600

svga: fix invalid memory reference in needs_to_create_zero()

The emit->key.fkey info is only valid if we're generating a fragment shader.
We should not look at it if we're generating a vertex shader.

When generating a vertex shader, the value of emit->key.fkey.num_textures was
garbage and the loop over num_textures would read invalid data.  At best
this would cause us to emit an unused constant.  At worse, we could segfault.
Just by dumb luck, fkey.num_textures was usually a smallish integer.

NOTE: This is a candidate for the 8.0 branch.

Reviewed-by: José Fonseca <jfonseca at vmware.com>
(cherry picked from commit dafa77201f116dc53b18a274fb41eef5bb2bd0e3)

---

 src/gallium/drivers/svga/svga_tgsi_insn.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/gallium/drivers/svga/svga_tgsi_insn.c b/src/gallium/drivers/svga/svga_tgsi_insn.c
index 5a9af89..a289d3a 100644
--- a/src/gallium/drivers/svga/svga_tgsi_insn.c
+++ b/src/gallium/drivers/svga/svga_tgsi_insn.c
@@ -2994,6 +2994,11 @@ needs_to_create_zero( struct svga_shader_emitter *emit )
              emit->key.fkey.tex[i].swizzle_a > PIPE_SWIZZLE_ALPHA)
             return TRUE;
       }
+
+      for (i = 0; i < emit->key.fkey.num_textures; i++) {
+         if (emit->key.fkey.tex[i].compare_mode == PIPE_TEX_COMPARE_R_TO_TEXTURE)
+            return TRUE;
+      }
    }
 
    if (emit->unit == PIPE_SHADER_VERTEX) {
@@ -3017,11 +3022,6 @@ needs_to_create_zero( struct svga_shader_emitter *emit )
        emit->info.opcode_count[TGSI_OPCODE_KILP] >= 1)
       return TRUE;
 
-   for (i = 0; i < emit->key.fkey.num_textures; i++) {
-      if (emit->key.fkey.tex[i].compare_mode == PIPE_TEX_COMPARE_R_TO_TEXTURE)
-         return TRUE;
-   }
-
    return FALSE;
 }

More information about the mesa-commit mailing list