[Mesa-dev] [PATCH] r200: Avoid out of bounds array access.
Ian Romanick
idr at freedesktop.org
Mon Dec 8 13:34:48 PST 2014
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
How'd you come across this?
On 12/08/2014 11:34 AM, Matt Turner wrote:
> ---
> Patch formatted with -U22 so that reviewers can see regs definition,
> and last element initialization with -1.
>
> src/mesa/drivers/dri/r200/r200_sanity.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/mesa/drivers/dri/r200/r200_sanity.c b/src/mesa/drivers/dri/r200/r200_sanity.c
> index dd3cf81..34d83d8 100644
> --- a/src/mesa/drivers/dri/r200/r200_sanity.c
> +++ b/src/mesa/drivers/dri/r200/r200_sanity.c
> @@ -603,45 +603,45 @@ struct reg {
> int idx;
> struct reg_names *closest;
> int flags;
> union fi current;
> union fi *values;
> int nvalues;
> int nalloc;
> float vmin, vmax;
> };
>
>
> static struct reg regs[Elements(reg_names)+1];
> static struct reg scalars[512+1];
> static struct reg vectors[512*4+1];
>
> static int total, total_changed, bufs;
>
> static void init_regs( void )
> {
> struct reg_names *tmp;
> int i;
>
> - for (i = 0 ; i < Elements(regs) ; i++) {
> + for (i = 0 ; i < Elements(reg_names) ; i++) {
> regs[i].idx = reg_names[i].idx;
> regs[i].closest = ®_names[i];
> regs[i].flags = 0;
> }
>
> for (i = 0, tmp = scalar_names ; i < Elements(scalars) ; i++) {
> if (tmp[1].idx == i) tmp++;
> scalars[i].idx = i;
> scalars[i].closest = tmp;
> scalars[i].flags = ISFLOAT;
> }
>
> for (i = 0, tmp = vector_names ; i < Elements(vectors) ; i++) {
> if (tmp[1].idx*4 == i) tmp++;
> vectors[i].idx = i;
> vectors[i].closest = tmp;
> vectors[i].flags = ISFLOAT|ISVEC;
> }
>
> regs[Elements(regs)-1].idx = -1;
> scalars[Elements(scalars)-1].idx = -1;
> vectors[Elements(vectors)-1].idx = -1;
>
More information about the mesa-dev
mailing list