[Mesa-dev] [PATCH 1/2] Eliminate several cases of multiplication in arguments to calloc

Carl Worth cworth at cworth.org
Wed Sep 3 16:09:03 PDT 2014


In commit 32f2fd1c5d6088692551c80352b7d6fa35b0cd09, several calls to
_mesa_calloc(x) were replaced with calls to calloc(1, x). This is strictly
equivalent to what the code was doing previously.

But for cases where "x" involves multiplication, now that we are explicitly
using the two-argument calloc, we can do one step better and replace:

	calloc(1, A * B);

with:

	calloc(A, B);

The advantage of the latter is that calloc will detect any overflow that would
have resulted from the multiplication and will fail the allocation, (whereas
the former would return a small allocation). So this fix can change
potentially exploitable buffer overruns into segmentation faults.
---
 src/gallium/drivers/freedreno/a2xx/ir-a2xx.c | 2 +-
 src/gallium/drivers/freedreno/ir3/ir3.c      | 2 +-
 src/gallium/drivers/r600/r600_asm.c          | 2 +-
 src/mapi/glapi/gen/gl_gentable.py            | 2 +-
 src/mesa/drivers/dri/common/utils.c          | 2 +-
 src/mesa/drivers/dri/i965/brw_state_cache.c  | 4 ++--
 src/mesa/main/atifragshader.c                | 8 ++++----
 src/mesa/program/prog_instruction.c          | 2 +-
 src/mesa/program/prog_optimize.c             | 6 +++---
 src/mesa/program/prog_parameter.c            | 2 +-
 src/mesa/vbo/vbo_exec_array.c                | 2 +-
 11 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/gallium/drivers/freedreno/a2xx/ir-a2xx.c b/src/gallium/drivers/freedreno/a2xx/ir-a2xx.c
index 18afba8..cff5a27 100644
--- a/src/gallium/drivers/freedreno/a2xx/ir-a2xx.c
+++ b/src/gallium/drivers/freedreno/a2xx/ir-a2xx.c
@@ -146,7 +146,7 @@ void * ir2_shader_assemble(struct ir2_shader *shader, struct ir2_shader_info *in
 		goto fail;
 	}
 
-	ptr = dwords = calloc(1, 4 * info->sizedwords);
+	ptr = dwords = calloc(4, info->sizedwords);
 
 	/* second pass, emit CF program in pairs: */
 	for (i = 0; i < shader->cfs_count; i += 2) {
diff --git a/src/gallium/drivers/freedreno/ir3/ir3.c b/src/gallium/drivers/freedreno/ir3/ir3.c
index ea2a925..3da10fb 100644
--- a/src/gallium/drivers/freedreno/ir3/ir3.c
+++ b/src/gallium/drivers/freedreno/ir3/ir3.c
@@ -554,7 +554,7 @@ void * ir3_assemble(struct ir3 *shader, struct ir3_info *info)
 	 */
 	info->sizedwords = 2 * align(shader->instrs_count, 4);
 
-	ptr = dwords = calloc(1, 4 * info->sizedwords);
+	ptr = dwords = calloc(4, info->sizedwords);
 
 	for (i = 0; i < shader->instrs_count; i++) {
 		struct ir3_instruction *instr = shader->instrs[i];
diff --git a/src/gallium/drivers/r600/r600_asm.c b/src/gallium/drivers/r600/r600_asm.c
index 4da918c..8aa69b5 100644
--- a/src/gallium/drivers/r600/r600_asm.c
+++ b/src/gallium/drivers/r600/r600_asm.c
@@ -1590,7 +1590,7 @@ int r600_bytecode_build(struct r600_bytecode *bc)
 		bc->ndw = cf->addr + cf->ndw;
 	}
 	free(bc->bytecode);
-	bc->bytecode = calloc(1, bc->ndw * 4);
+	bc->bytecode = calloc(4, bc->ndw);
 	if (bc->bytecode == NULL)
 		return -ENOMEM;
 	LIST_FOR_EACH_ENTRY(cf, &bc->cf, list) {
diff --git a/src/mapi/glapi/gen/gl_gentable.py b/src/mapi/glapi/gen/gl_gentable.py
index 7577b66..ce9af99 100644
--- a/src/mapi/glapi/gen/gl_gentable.py
+++ b/src/mapi/glapi/gen/gl_gentable.py
@@ -113,7 +113,7 @@ __glapi_gentable_set_remaining_noop(struct _glapi_table *disp) {
 
 struct _glapi_table *
 _glapi_create_table_from_handle(void *handle, const char *symbol_prefix) {
-    struct _glapi_table *disp = calloc(1, _glapi_get_dispatch_table_size() * sizeof(_glapi_proc));
+    struct _glapi_table *disp = calloc(_glapi_get_dispatch_table_size(), sizeof(_glapi_proc));
     char symboln[512];
 
     if(!disp)
diff --git a/src/mesa/drivers/dri/common/utils.c b/src/mesa/drivers/dri/common/utils.c
index e0b3db8..1f30966 100644
--- a/src/mesa/drivers/dri/common/utils.c
+++ b/src/mesa/drivers/dri/common/utils.c
@@ -238,7 +238,7 @@ driCreateConfigs(mesa_format format,
    is_srgb = _mesa_get_format_color_encoding(format) == GL_SRGB;
 
    num_modes = num_depth_stencil_bits * num_db_modes * num_accum_bits * num_msaa_modes;
-   configs = calloc(1, (num_modes + 1) * sizeof *configs);
+   configs = calloc((num_modes + 1), sizeof *configs);
    if (configs == NULL)
        return NULL;
 
diff --git a/src/mesa/drivers/dri/i965/brw_state_cache.c b/src/mesa/drivers/dri/i965/brw_state_cache.c
index 19079c8..bb5047e 100644
--- a/src/mesa/drivers/dri/i965/brw_state_cache.c
+++ b/src/mesa/drivers/dri/i965/brw_state_cache.c
@@ -115,7 +115,7 @@ rehash(struct brw_cache *cache)
    GLuint size, i;
 
    size = cache->size * 3;
-   items = calloc(1, size * sizeof(*items));
+   items = calloc(size, sizeof(*items));
 
    for (i = 0; i < cache->size; i++)
       for (c = cache->items[i]; c; c = next) {
@@ -334,7 +334,7 @@ brw_init_caches(struct brw_context *brw)
    cache->size = 7;
    cache->n_items = 0;
    cache->items =
-      calloc(1, cache->size * sizeof(struct brw_cache_item *));
+      calloc(cache->size, sizeof(struct brw_cache_item *));
 
    cache->bo = drm_intel_bo_alloc(brw->bufmgr,
 				  "program cache",
diff --git a/src/mesa/main/atifragshader.c b/src/mesa/main/atifragshader.c
index 7077c96..1eab773 100644
--- a/src/mesa/main/atifragshader.c
+++ b/src/mesa/main/atifragshader.c
@@ -325,11 +325,11 @@ _mesa_BeginFragmentShaderATI(void)
       a start */
    for (i = 0; i < MAX_NUM_PASSES_ATI; i++) {
       ctx->ATIFragmentShader.Current->Instructions[i] =
-	 calloc(1, sizeof(struct atifs_instruction) *
-		   (MAX_NUM_INSTRUCTIONS_PER_PASS_ATI));
+	 calloc(sizeof(struct atifs_instruction),
+                MAX_NUM_INSTRUCTIONS_PER_PASS_ATI);
       ctx->ATIFragmentShader.Current->SetupInst[i] =
-	 calloc(1, sizeof(struct atifs_setupinst) *
-		   (MAX_NUM_FRAGMENT_REGISTERS_ATI));
+	 calloc(sizeof(struct atifs_setupinst),
+                MAX_NUM_FRAGMENT_REGISTERS_ATI);
    }
 
 /* can't rely on calloc for initialization as it's possible to redefine a shader (?) */
diff --git a/src/mesa/program/prog_instruction.c b/src/mesa/program/prog_instruction.c
index dcfedb7..dc0a510 100644
--- a/src/mesa/program/prog_instruction.c
+++ b/src/mesa/program/prog_instruction.c
@@ -70,7 +70,7 @@ struct prog_instruction *
 _mesa_alloc_instructions(GLuint numInst)
 {
    return
-      calloc(1, numInst * sizeof(struct prog_instruction));
+      calloc(numInst, sizeof(struct prog_instruction));
 }
 
 
diff --git a/src/mesa/program/prog_optimize.c b/src/mesa/program/prog_optimize.c
index 6153f5e..08c1c30 100644
--- a/src/mesa/program/prog_optimize.c
+++ b/src/mesa/program/prog_optimize.c
@@ -260,7 +260,7 @@ _mesa_remove_dead_code_global(struct gl_program *prog)
    }
 
    removeInst =
-      calloc(1, prog->NumInstructions * sizeof(GLboolean));
+      calloc(prog->NumInstructions, sizeof(GLboolean));
 
    /* Determine which temps are read and written */
    for (i = 0; i < prog->NumInstructions; i++) {
@@ -602,7 +602,7 @@ _mesa_remove_dead_code_local(struct gl_program *prog)
    GLuint i, arg, rem = 0;
 
    removeInst =
-      calloc(1, prog->NumInstructions * sizeof(GLboolean));
+      calloc(prog->NumInstructions, sizeof(GLboolean));
 
    for (i = 0; i < prog->NumInstructions; i++) {
       const struct prog_instruction *inst = prog->Instructions + i;
@@ -743,7 +743,7 @@ _mesa_remove_extra_moves(struct gl_program *prog)
    }
 
    removeInst =
-      calloc(1, prog->NumInstructions * sizeof(GLboolean));
+      calloc(prog->NumInstructions, sizeof(GLboolean));
 
    /*
     * Look for sequences such as this:
diff --git a/src/mesa/program/prog_parameter.c b/src/mesa/program/prog_parameter.c
index 54531d2..f43deba 100644
--- a/src/mesa/program/prog_parameter.c
+++ b/src/mesa/program/prog_parameter.c
@@ -54,7 +54,7 @@ _mesa_new_parameter_list_sized(unsigned size)
 
       /* alloc arrays */
       p->Parameters = (struct gl_program_parameter *)
-	 calloc(1, size * sizeof(struct gl_program_parameter));
+	 calloc(size, sizeof(struct gl_program_parameter));
 
       p->ParameterValues = (gl_constant_value (*)[4])
          _mesa_align_malloc(size * 4 *sizeof(gl_constant_value), 16);
diff --git a/src/mesa/vbo/vbo_exec_array.c b/src/mesa/vbo/vbo_exec_array.c
index 3f7058d..22557e1 100644
--- a/src/mesa/vbo/vbo_exec_array.c
+++ b/src/mesa/vbo/vbo_exec_array.c
@@ -1313,7 +1313,7 @@ vbo_validated_multidrawelements(struct gl_context *ctx, GLenum mode,
    if (primcount == 0)
       return;
 
-   prim = calloc(1, primcount * sizeof(*prim));
+   prim = calloc(primcount, sizeof(*prim));
    if (prim == NULL) {
       _mesa_error(ctx, GL_OUT_OF_MEMORY, "glMultiDrawElements");
       return;
-- 
2.1.0



More information about the mesa-dev mailing list