[Mesa-dev] [PATCH] intel/decoder: fix the possible out of bounds group_iter
andrey simiklit
asimiklit.work at gmail.com
Thu Aug 9 12:00:30 UTC 2018
Hi,
Sorry I missed the main thought here.
The "gen_group_get_length" function returns *int*
but the "iter_group_offset_bits" function returns *uint32_t*
So *uint32_t*(*int*(-32)) = *0xFFFFFFE0U* and it looks like unexpected
behavior for me:
iter_group_offset_bits(iter, iter->group_iter + 1) < *0xFFFFFFE0U*;
Regards,
Andrii.
On Thu, Aug 9, 2018 at 2:35 PM, Andrii Simiklit <asimiklit.work at gmail.com>
wrote:
> The "gen_group_get_length" function can return a negative value
> and it can lead to the out of bounds group_iter.
>
> Signed-off-by: Andrii Simiklit <andrii.simiklit at globallogic.com>
> ---
> src/intel/common/gen_decoder.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder
> .c
> index ec0a486..f09bd87 100644
> --- a/src/intel/common/gen_decoder.c
> +++ b/src/intel/common/gen_decoder.c
> @@ -803,8 +803,10 @@ static bool
> iter_more_groups(const struct gen_field_iterator *iter)
> {
> if (iter->group->variable) {
> - return iter_group_offset_bits(iter, iter->group_iter + 1) <
> - (gen_group_get_length(iter->group, iter->p) * 32);
> + const int length = gen_group_get_length(iter->group, iter->p);
> + return length > 0 &&
> + iter_group_offset_bits(iter, iter->group_iter + 1) <
> + (length * 32);
> } else {
> return (iter->group_iter + 1) < iter->group->group_count ||
> iter->group->next != NULL;
> --
> 2.7.4
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20180809/d3c0f0d6/attachment.html>
More information about the mesa-dev
mailing list