Mesa (master): util/bitset: Avoid out-of-bounds reads

[GitLab Mirror]

Module: Mesa
Branch: master
Commit: 8cd7950014bb86eb4c7e1b062ff7a7d0ef6fb76c
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=8cd7950014bb86eb4c7e1b062ff7a7d0ef6fb76c

Author: Connor Abbott <cwabbott0 at gmail.com>
Date:   Tue Feb 23 17:30:33 2021 +0100

util/bitset: Avoid out-of-bounds reads

I missed a corner case here: when the next range ends right at the end
of the bitset, we need to return immediately to avoid trying to search
after the bitset. And when finding the next end, we similarly need to
bail if the range is size 1 at the very end of the range. In practice
this probably would'nt have been noticed, because it would break out of
the loop anyway, but I happened to be running something using this under
Valgrind and it complained.

Reviewed-by: Eric Anholt <eric at anholt.net>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/10076>

---

 src/util/bitset.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/util/bitset.h b/src/util/bitset.h
index 8225070f703..29de65e839c 100644
--- a/src/util/bitset.h
+++ b/src/util/bitset.h
@@ -165,6 +165,10 @@ __bitset_next_range(unsigned *start, unsigned *end, const BITSET_WORD *set,
     * 0-bit after the range.
     */
    unsigned word = BITSET_BITWORD(*end);
+   if (word >= BITSET_WORDS(size)) {
+      *start = *end = size;
+      return;
+   }
    BITSET_WORD tmp = set[word] & ~(BITSET_BIT(*end) - 1);
    while (!tmp) {
       word++;
@@ -182,6 +186,10 @@ __bitset_next_range(unsigned *start, unsigned *end, const BITSET_WORD *set,
     * 0-bit.
     */
    word = BITSET_BITWORD(*start + 1);
+   if (word >= BITSET_WORDS(size)) {
+      *end = size;
+      return;
+   }
    tmp = set[word] | (BITSET_BIT(*start + 1) - 1);
    while (~tmp == 0) {
       word++;