[Mesa-dev] [PATCH] intel/decoder: fix the possible out of bounds group_iter
Andrii Simiklit
asimiklit.work at gmail.com
Thu Aug 9 11:35:25 UTC 2018
The "gen_group_get_length" function can return a negative value
and it can lead to the out of bounds group_iter.
Signed-off-by: Andrii Simiklit <andrii.simiklit at globallogic.com>
---
src/intel/common/gen_decoder.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder.c
index ec0a486..f09bd87 100644
--- a/src/intel/common/gen_decoder.c
+++ b/src/intel/common/gen_decoder.c
@@ -803,8 +803,10 @@ static bool
iter_more_groups(const struct gen_field_iterator *iter)
{
if (iter->group->variable) {
- return iter_group_offset_bits(iter, iter->group_iter + 1) <
- (gen_group_get_length(iter->group, iter->p) * 32);
+ const int length = gen_group_get_length(iter->group, iter->p);
+ return length > 0 &&
+ iter_group_offset_bits(iter, iter->group_iter + 1) <
+ (length * 32);
} else {
return (iter->group_iter + 1) < iter->group->group_count ||
iter->group->next != NULL;
--
2.7.4
More information about the mesa-dev
mailing list