[Mesa-dev] [PATCH] intel/decoder: fix the possible out of bounds group_iter

Thu Aug 9 12:00:30 UTC 2018

Hi,

Sorry I missed the main thought here.
The "gen_group_get_length" function returns *int*
but the "iter_group_offset_bits" function returns *uint32_t*
So *uint32_t*(*int*(-32)) = *0xFFFFFFE0U* and it looks like unexpected
behavior for me:
iter_group_offset_bits(iter, iter->group_iter + 1) < *0xFFFFFFE0U*;

Regards,
Andrii.

On Thu, Aug 9, 2018 at 2:35 PM, Andrii Simiklit <asimiklit.work at gmail.com>
wrote:

> The "gen_group_get_length" function can return a negative value
> and it can lead to the out of bounds group_iter.
>
> Signed-off-by: Andrii Simiklit <andrii.simiklit at globallogic.com>
> ---
>  src/intel/common/gen_decoder.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder
> .c
> index ec0a486..f09bd87 100644
> --- a/src/intel/common/gen_decoder.c
> +++ b/src/intel/common/gen_decoder.c
> @@ -803,8 +803,10 @@ static bool
>  iter_more_groups(const struct gen_field_iterator *iter)
>  {
>     if (iter->group->variable) {
> -      return iter_group_offset_bits(iter, iter->group_iter + 1) <
> -              (gen_group_get_length(iter->group, iter->p) * 32);
> +      const int length = gen_group_get_length(iter->group, iter->p);
> +      return length > 0 &&
> +             iter_group_offset_bits(iter, iter->group_iter + 1) <
> +              (length * 32);
>     } else {
>        return (iter->group_iter + 1) < iter->group->group_count ||
>           iter->group->next != NULL;
> --
> 2.7.4
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20180809/d3c0f0d6/attachment.html>