[Mesa-dev] [Bug 53426] New: out-of-bounds access src/mesa/main/fbobject:222

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sun Aug 12 18:01:16 PDT 2012 

https://bugs.freedesktop.org/show_bug.cgi?id=53426

             Bug #: 53426
           Summary: out-of-bounds access src/mesa/main/fbobject:222
    Classification: Unclassified
           Product: Mesa
           Version: git
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Other
        AssignedTo: mesa-dev at lists.freedesktop.org
        ReportedBy: vlee at freedesktop.org
                CC: brianp at vmware.com


Reported by Coverity.

 188struct gl_renderbuffer_attachment *
 189_mesa_get_attachment(struct gl_context *ctx, struct gl_framebuffer *fb,
 190                     GLenum attachment)
 191{
 192   GLuint i;
 193
At (1): Condition "_mesa_is_user_fbo(fb)", taking true branch
 194   assert(_mesa_is_user_fbo(fb));
 195
At (2): Switch case value "36073U"
 196   switch (attachment) {
 197   case GL_COLOR_ATTACHMENT0_EXT:
 198   case GL_COLOR_ATTACHMENT1_EXT:
 199   case GL_COLOR_ATTACHMENT2_EXT:
 200   case GL_COLOR_ATTACHMENT3_EXT:
 201   case GL_COLOR_ATTACHMENT4_EXT:
 202   case GL_COLOR_ATTACHMENT5_EXT:
 203   case GL_COLOR_ATTACHMENT6_EXT:
 204   case GL_COLOR_ATTACHMENT7_EXT:
 205   case GL_COLOR_ATTACHMENT8_EXT:
 206   case GL_COLOR_ATTACHMENT9_EXT:
 207   case GL_COLOR_ATTACHMENT10_EXT:
 208   case GL_COLOR_ATTACHMENT11_EXT:
 209   case GL_COLOR_ATTACHMENT12_EXT:
 210   case GL_COLOR_ATTACHMENT13_EXT:
 211   case GL_COLOR_ATTACHMENT14_EXT:
 212   case GL_COLOR_ATTACHMENT15_EXT:
 213      /* Only OpenGL ES 1.x forbids color attachments other than
 214       * GL_COLOR_ATTACHMENT0.  For all other APIs the limit set by the
 215       * hardware is used.
 216       */
At (3): Assigning: "i" = "attachment - 36064U".
 217      i = attachment - GL_COLOR_ATTACHMENT0_EXT;
At (4): Condition "i >= ctx->Const.MaxColorAttachments", taking false branch
At (5): Condition "i > 0U", taking true branch
At (6): Condition "ctx->API == 1U", taking false branch
 218      if (i >= ctx->Const.MaxColorAttachments
 219          || (i > 0 && ctx->API == API_OPENGLES)) {
 220         return NULL;
 221      }
CID 714349: Out-of-bounds access (OVERRUN)
At (7): "&fb->Attachment[8U + i]" evaluates to an address that is at byte
offset 680 of an array of 640 bytes.
 222      return &fb->Attachment[BUFFER_COLOR0 + i];
 223   case GL_DEPTH_STENCIL_ATTACHMENT:
 224      if (!_mesa_is_desktop_gl(ctx))
 225         return NULL;
 226      /* fall-through */
 227   case GL_DEPTH_ATTACHMENT_EXT:
 228      return &fb->Attachment[BUFFER_DEPTH];
 229   case GL_STENCIL_ATTACHMENT_EXT:
 230      return &fb->Attachment[BUFFER_STENCIL];
 231   default:
 232      return NULL;
 233   }
 234}

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the mesa-dev mailing list