[Mesa-dev] [Bug 63569] New: Function table in get_unpack_rgba_function incorrectly populated

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Apr 15 12:50:16 PDT 2013 

https://bugs.freedesktop.org/show_bug.cgi?id=63569

          Priority: medium
             Group: Mesa Security
            Bug ID: 63569
                CC: anuj.phogat at gmail.com, brianp at vmware.com,
                    jljusten at gmail.com
          Assignee: mesa-dev at lists.freedesktop.org
           Summary: Function table in get_unpack_rgba_function incorrectly
                    populated
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: idr at freedesktop.org
          Hardware: All
            Status: NEW
           Version: unspecified
         Component: Mesa core
           Product: Mesa

A recent run of Klocwork static analysis found the following issue:

    'table' array elements are used uninitialized in this function with
    index range: [77, 103] [105, 107] [109, 111] [113, 115] [117, 119]
    [121, 123] EQ(154) EQ(167). Also there is one similar error on line
    1685.

There's at least one bug here, but I think there may be more.  It may also
legitimately be a security issue.  Not all entries in the table are
initialized, but a check at the end of the function (added in 1a814217 by
Jordan) checks that the function pointer is not NULL before returning.  At the
very least, the table should be memset to 0.

However, some of the slots that are missing map to formats that I think should
have decode functions.  For example, the table has an entry for
MESA_FORMAT_RGBA_UINT32, but not for MESA_FORMAT_R_UINT32 (121),
MESA_FORMAT_RG_UINT32 (122), or MESA_FORMAT_RGB_UINT32 (123). 
MESA_FORMAT_ETC2_SRGB8_PUNCHTHROUGH_ALPHA1 (154) is also missing, but the other
ETC2 formats are present.

It seems to me that the only NULL entry in the table should be
MESA_FORMAT_NONE.  If that is in fact the case, we should add a unit test.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20130415/bcaeb057/attachment.html>

More information about the mesa-dev mailing list