[Mesa-dev] [PATCH 1/2] r600g, radeonsi: Fix calculation of IR target cap string buffer size

[Marek Olšák]

Reviewed-by: Marek Olšák <marek.olsak at amd.com>

Marek

On Thu, Jan 22, 2015 at 4:41 AM, Michel Dänzer <michel at daenzer.net> wrote:
> From: Michel Dänzer <michel.daenzer at amd.com>
>
> Fixes writing beyond the allocated buffer:
>
> ==31855== Invalid write of size 1
> ==31855==    at 0x50AB2A9: vsprintf (iovsprintf.c:43)
> ==31855==    by 0x508F6F6: sprintf (sprintf.c:32)
> ==31855==    by 0xB59C7EC: r600_get_compute_param (r600_pipe_common.c:526)
> ==31855==    by 0x5B2B7DE: get_compute_param<char> (device.cpp:37)
> ==31855==    by 0x5B2B7DE: clover::device::ir_target() const (device.cpp:201)
> ==31855==    by 0x5B398E0: clover::program::build(clover::ref_vector<clover::device> const&, char const*, clover::compat::vector<clover::compat::pair<clover::compat::string, clover::compat::string> > const&) (program.cpp:63)
> ==31855==    by 0x5B20152: clBuildProgram (program.cpp:182)
> ==31855==    by 0x400F41: main (hello_world.c:109)
> ==31855==  Address 0x56fed5f is 0 bytes after a block of size 15 alloc'd
> ==31855==    at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
> ==31855==    by 0x5B2B7C2: allocate (new_allocator.h:104)
> ==31855==    by 0x5B2B7C2: allocate (alloc_traits.h:357)
> ==31855==    by 0x5B2B7C2: _M_allocate (stl_vector.h:170)
> ==31855==    by 0x5B2B7C2: _M_create_storage (stl_vector.h:185)
> ==31855==    by 0x5B2B7C2: _Vector_base (stl_vector.h:136)
> ==31855==    by 0x5B2B7C2: vector (stl_vector.h:278)
> ==31855==    by 0x5B2B7C2: get_compute_param<char> (device.cpp:35)
> ==31855==    by 0x5B2B7C2: clover::device::ir_target() const (device.cpp:201)
> ==31855==    by 0x5B398E0: clover::program::build(clover::ref_vector<clover::device> const&, char const*, clover::compat::vector<clover::compat::pair<clover::compat::string, clover::compat::string> > const&) (program.cpp:63)
> ==31855==    by 0x5B20152: clBuildProgram (program.cpp:182)
> ==31855==    by 0x400F41: main (hello_world.c:109)
>
> Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
> ---
>  src/gallium/drivers/radeon/r600_pipe_common.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/gallium/drivers/radeon/r600_pipe_common.c b/src/gallium/drivers/radeon/r600_pipe_common.c
> index f91772e..ddb4142 100644
> --- a/src/gallium/drivers/radeon/r600_pipe_common.c
> +++ b/src/gallium/drivers/radeon/r600_pipe_common.c
> @@ -524,9 +524,9 @@ static int r600_get_compute_param(struct pipe_screen *screen,
>                 }
>                 if (ret) {
>                         sprintf(ret, "%s-%s", gpu, triple);
> -
>                 }
> -               return (strlen(triple) + strlen(gpu)) * sizeof(char);
> +               /* +2 for dash and terminating NIL byte */
> +               return (strlen(triple) + strlen(gpu) + 2) * sizeof(char);
>         }
>         case PIPE_COMPUTE_CAP_GRID_DIMENSION:
>                 if (ret) {
> --
> 2.1.4
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev