[Mesa-dev] [PATCH] hud: don't overrun malloced arrays

Marek Olšák maraeo at gmail.com
Mon Aug 11 03:22:13 PDT 2014 

Reviewed-by: Marek Olšák <marek.olsak at amd.com>

Marek

On Mon, Aug 11, 2014 at 4:09 AM, Dave Airlie <airlied at gmail.com> wrote:
> From: Dave Airlie <airlied at redhat.com>
>
> ==17630== Invalid read of size 4
> ==17630==    at 0x400AE10: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
> ==17630==    by 0x49024A2: u_upload_data (u_upload_mgr.c:253)
> ==17630==    by 0x49050E1: u_vbuf_draw_vbo (u_vbuf.c:980)
> ==17630==    by 0x487DE29: cso_draw_vbo (cso_context.c:1425)
> ==17630==    by 0x487DEA0: cso_draw_arrays (cso_context.c:1445)
> ==17630==    by 0x48A3B0E: hud_draw_colored_prims.constprop.6 (hud_context.c:123)
> ==17630==    by 0x48A4810: hud_draw (hud_context.c:266)
> ==17630==    by 0x48763F7: dri_flush (dri_drawable.c:483)
> ==17630==    by 0x4057510: dri2Flush.constprop.4 (dri2_glx.c:559)
> ==17630==    by 0x405789E: dri2SwapBuffers (dri2_glx.c:851)
> ==17630==    by 0x402C531: glXSwapBuffers (glxcmds.c:842)
> ==17630==    by 0x8049716: ??? (in /usr/bin/glxgears)
> ==17630==  Address 0x4426b2c is 4 bytes after a block of size 1,008 alloc'd
> ==17630==    at 0x4006B11: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
> ==17630==    by 0x48A4CE7: hud_pane_add_graph (hud_context.c:625)
> ==17630==    by 0x48A68F0: hud_pipe_query_install (hud_driver_query.c:175)
> ==17630==    by 0x48A6A30: hud_driver_query_install (hud_driver_query.c:207)
> ==17630==    by 0x48A5835: hud_create (hud_context.c:791)
> ==17630==    by 0x48756CB: dri_create_context (dri_context.c:165)
> ==17630==    by 0x4871CD4: driCreateContextAttribs (dri_util.c:435)
> ==17630==    by 0x4871E06: driCreateNewContext (dri_util.c:464)
> ==17630==    by 0x4056A22: dri2_create_context (dri2_glx.c:223)
> ==17630==    by 0x402CF68: CreateContext (glxcmds.c:299)
> ==17630==    by 0x402D265: glXCreateContext (glxcmds.c:430)
> ==17630==    by 0x804B136: ??? (in /usr/bin/glxgears)
>
> This is due to second vertex element being specified, and the upload
> tries to fetch over the end. However the pane rendering only requires
> a single vertex element, so specify only one.
>
> Signed-off-by: Dave Airlie <airlied at redhat.com>
> ---
>  src/gallium/auxiliary/hud/hud_context.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/src/gallium/auxiliary/hud/hud_context.c b/src/gallium/auxiliary/hud/hud_context.c
> index b6e0184..a05d3c4 100644
> --- a/src/gallium/auxiliary/hud/hud_context.c
> +++ b/src/gallium/auxiliary/hud/hud_context.c
> @@ -532,6 +532,7 @@ hud_draw(struct hud_context *hud, struct pipe_resource *tex)
>     pipe_resource_reference(&hud->text.vbuf.buffer, NULL);
>
>     /* draw the rest */
> +   cso_set_vertex_elements(cso, 1, hud->velems);
>     LIST_FOR_EACH_ENTRY(pane, &hud->pane_list, head) {
>        if (pane)
>           hud_pane_draw_colored_objects(hud, pane);
> --
> 1.9.3
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev

More information about the mesa-dev mailing list