Mesa (10.3): i965: Use safer pointer arithmetic in intel_texsubimage_tiled_memcpy()

Emil Velikov evelikov at kemper.freedesktop.org
Sun Jan 4 21:30:40 UTC 2015 

Module: Mesa
Branch: 10.3
Commit: 71cd8f1388a2ab9faef5921841686a13cc57e102
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=71cd8f1388a2ab9faef5921841686a13cc57e102

Author: Chad Versace <chad.versace at linux.intel.com>
Date:   Mon Dec 22 15:58:48 2014 -0600

i965: Use safer pointer arithmetic in intel_texsubimage_tiled_memcpy()

This patch reduces the likelihood of pointer arithmetic overflow bugs in
intel_texsubimage_tiled_memcpy() , like the one fixed by b69c7c5dac.

I haven't yet encountered any overflow bugs in the wild along this
patch's codepath. But I recently solved, in commit b69c7c5dac, an overflow
bug in a line of code that looks very similar to pointer arithmetic in
this function.

This patch conceptually applies the same fix as in b69c7c5dac. Instead
of retyping the variables, though, this patch adds some casts. (I tried
to retype the variables as ptrdiff_t, but it quickly got very messy. The
casts are cleaner).

Reviewed-by: Kenneth Graunke <kenneth at whitecape.org>
Signed-off-by: Chad Versace <chad.versace at linux.intel.com>
(cherry picked from commit 225a09790da0b1605a0b68acbbe1e0f30eee3e6f)

---

 src/mesa/drivers/dri/i965/intel_tex_subimage.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/mesa/drivers/dri/i965/intel_tex_subimage.c b/src/mesa/drivers/dri/i965/intel_tex_subimage.c
index a121816..511b7b2 100644
--- a/src/mesa/drivers/dri/i965/intel_tex_subimage.c
+++ b/src/mesa/drivers/dri/i965/intel_tex_subimage.c
@@ -494,8 +494,8 @@ linear_to_tiled(uint32_t xt1, uint32_t xt2,
          /* Translate by (xt,yt) for single-tile copier. */
          tile_copy(x0-xt, x1-xt, x2-xt, x3-xt,
                    y0-yt, y1-yt,
-                   dst + xt * th + yt * dst_pitch,
-                   src + xt      + yt * src_pitch,
+                   dst + (ptrdiff_t) xt * th + (ptrdiff_t) yt * dst_pitch,
+                   src + (ptrdiff_t) xt      + (ptrdiff_t) yt * src_pitch,
                    src_pitch,
                    swizzle_bit,
                    mem_copy);
@@ -660,7 +660,8 @@ intel_texsubimage_tiled_memcpy(struct gl_context * ctx,
    linear_to_tiled(
       xoffset * cpp, (xoffset + width) * cpp,
       yoffset, yoffset + height,
-      bo->virtual, pixels - yoffset * src_pitch - xoffset * cpp,
+      bo->virtual,
+      pixels - (ptrdiff_t) yoffset * src_pitch - (ptrdiff_t) xoffset * cpp,
       image->mt->pitch, src_pitch,
       brw->has_swizzling,
       image->mt->tiling,

More information about the mesa-commit mailing list