[Mesa-dev] [PATCH] swrast: fix possible null dereference

Ian Romanick idr at freedesktop.org
Wed Mar 9 23:23:57 UTC 2016 

On 03/09/2016 10:21 AM, Lars Hamre wrote:
> Fixes a possible null dereference.
> 
> NOTE: this is my first time contributing, please let me know if I
>       should be doing anything differently, thanks!
> 
> Signed-off-by: Lars Hamre <chemecse at gmail.com>
> ---
>  src/mesa/swrast/s_triangle.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/src/mesa/swrast/s_triangle.c b/src/mesa/swrast/s_triangle.c
> index 876a74b..9225974 100644
> --- a/src/mesa/swrast/s_triangle.c
> +++ b/src/mesa/swrast/s_triangle.c
> @@ -781,7 +781,7 @@ fast_persp_span(struct gl_context *ctx, SWspan *span,
>        }
>        break;
>     }
> -
> +
>     assert(span->arrayMask & SPAN_RGBA);
>     _swrast_write_rgba_span(ctx, span);
> 
> @@ -1063,8 +1063,8 @@ _swrast_choose_triangle( struct gl_context *ctx )
>           swImg = swrast_texture_image_const(texImg);
> 
>           format = texImg ? texImg->TexFormat : MESA_FORMAT_NONE;
> -         minFilter = texObj2D ? samp->MinFilter : GL_NONE;
> -         magFilter = texObj2D ? samp->MagFilter : GL_NONE;
> +         minFilter = (texObj2D && samp) ? samp->MinFilter : GL_NONE;
> +         magFilter = (texObj2D && samp) ? samp->MagFilter : GL_NONE;

NAK this hunk.  If texObj2D is not NULL, samp is also not NULL.

>           envMode = ctx->Texture.Unit[0].EnvMode;
> 
>           /* First see if we can use an optimized 2-D texture function */
> @@ -1073,6 +1073,7 @@ _swrast_choose_triangle( struct gl_context *ctx )
>               && !ctx->ATIFragmentShader._Enabled
>               && ctx->Texture._MaxEnabledTexImageUnit == 0
>               && ctx->Texture.Unit[0]._Current->Target == GL_TEXTURE_2D
> +             && samp

I think the 'ctx->Texture.Unit[0]._Current->Target == GL_TEXTURE_2D'
implicitly ensures that samp cannot be NULL.  Have you been able to
cause a NULL dereference in this code path or is this just based on
speculation?

>               && samp->WrapS == GL_REPEAT
>               && samp->WrapT == GL_REPEAT
>               && texObj2D->_Swizzle == SWIZZLE_NOOP
> --
> 2.5.0
> 
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev

More information about the mesa-dev mailing list