[Mesa-dev] [PATCH v2] intel/decoder: fix the possible out of bounds group_iter
asimiklit.work at gmail.com
asimiklit.work at gmail.com
Tue Aug 14 09:04:21 UTC 2018
From: Andrii Simiklit <asimiklit.work at gmail.com>
The "gen_group_get_length" function can return a negative value
and it can lead to the out of bounds group_iter.
v2: printing of "unknown command type" was added
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107544
Signed-off-by: Andrii Simiklit <andrii.simiklit at globallogic.com>
---
src/intel/common/gen_decoder.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder.c
index ec0a486..b36facf 100644
--- a/src/intel/common/gen_decoder.c
+++ b/src/intel/common/gen_decoder.c
@@ -770,6 +770,13 @@ gen_group_get_length(struct gen_group *group, const uint32_t *p)
return -1;
}
}
+ default: {
+ fprintf(stderr, "Unknown command type %u in '%s::%s'\n",
+ type,
+ (group->parent && group->parent->name) ? group->parent->name : "UNKNOWN",
+ group->name ? group->name : "UNKNOWN");
+ break;
+ }
}
return -1;
@@ -803,8 +810,10 @@ static bool
iter_more_groups(const struct gen_field_iterator *iter)
{
if (iter->group->variable) {
- return iter_group_offset_bits(iter, iter->group_iter + 1) <
- (gen_group_get_length(iter->group, iter->p) * 32);
+ const int length = gen_group_get_length(iter->group, iter->p);
+ return length > 0 &&
+ iter_group_offset_bits(iter, iter->group_iter + 1) <
+ (length * 32);
} else {
return (iter->group_iter + 1) < iter->group->group_count ||
iter->group->next != NULL;
--
2.7.4
More information about the mesa-dev
mailing list