[Mesa-dev] [PATCH] gallium/tgsi: fix oob access in parse instruction
Li Qiang
liq3ea at gmail.com
Mon Jan 23 08:24:18 UTC 2017
2017-01-23 16:17 GMT+08:00 Marc-André Lureau <mlureau at redhat.com>:
> Hi
>
> ----- Original Message -----
> > When parsing texture instruction, it doesn't stop if the
> > 'cur' is ',', the loop variable 'i' will also be increased
> > and be used to index the 'inst.TexOffsets' array. This can lead
> > an oob access issue. This patch avoid this.
> >
> > Signed-off-by: Li Qiang <liq3ea at gmail.com>
> > ---
> > src/gallium/auxiliary/tgsi/tgsi_text.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/src/gallium/auxiliary/tgsi/tgsi_text.c
> > b/src/gallium/auxiliary/tgsi/tgsi_text.c
> > index 308e6b5..4ed9050 100644
> > --- a/src/gallium/auxiliary/tgsi/tgsi_text.c
> > +++ b/src/gallium/auxiliary/tgsi/tgsi_text.c
> > @@ -1163,7 +1163,7 @@ parse_instruction(
> >
> > cur = ctx->cur;
> > eat_opt_white( &cur );
> > - for (i = 0; inst.Instruction.Texture && *cur == ','; i++) {
> > + for (i = 0; inst.Instruction.Texture && *cur == ',' && i <
> > TGSI_FULL_MAX_TEX_OFFSETS; i++) {
> > cur++;
> > eat_opt_white( &cur );
> > ctx->cur = cur;
>
> Shoundn't it report_error() and return FALSE in this case?
>
I think there is no need for report_error().
IIUC The guest can provide TGSI_FULL_MAX_TEX_OFFSETS of TexOffset.
If the guest construct more than this, in the next parsing, it will fail
and this time it report_error and return FALSE.
So I think we can just limit the loop count here.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20170123/127e3c72/attachment-0001.html>
More information about the mesa-dev
mailing list