[Mesa-dev] [PATCH v3] intel/decoder: fix the possible out of bounds group_iter
Lionel Landwerlin
lionel.g.landwerlin at intel.com
Mon Aug 20 18:13:27 UTC 2018
On 20/08/2018 17:20, asimiklit.work at gmail.com wrote:
> From: Andrii Simiklit <andrii.simiklit at globallogic.com>
>
> The "gen_group_get_length" function can return a negative value
> and it can lead to the out of bounds group_iter.
>
> v2: printing of "unknown command type" was added
> v3: just the asserts are added
>
> Signed-off-by: Andrii Simiklit <andrii.simiklit at globallogic.com>
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin at intel.com>
Somebody should take a look at the other patches I sent out ;)
Thanks!
-
Lionel
> ---
> src/intel/common/gen_decoder.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder.c
> index ec0a486..2d9609a 100644
> --- a/src/intel/common/gen_decoder.c
> +++ b/src/intel/common/gen_decoder.c
> @@ -803,8 +803,10 @@ static bool
> iter_more_groups(const struct gen_field_iterator *iter)
> {
> if (iter->group->variable) {
> + int length = gen_group_get_length(iter->group, iter->p);
> + assert(length >= 0 && "error the length is unknown!");
> return iter_group_offset_bits(iter, iter->group_iter + 1) <
> - (gen_group_get_length(iter->group, iter->p) * 32);
> + (length * 32);
> } else {
> return (iter->group_iter + 1) < iter->group->group_count ||
> iter->group->next != NULL;
> @@ -991,6 +993,7 @@ gen_field_iterator_init(struct gen_field_iterator *iter,
> iter->p_bit = p_bit;
>
> int length = gen_group_get_length(iter->group, iter->p);
> + assert(length >= 0 && "error the length is unknown!");
> iter->p_end = length > 0 ? &p[length] : NULL;
> iter->print_colors = print_colors;
> }
More information about the mesa-dev
mailing list