[Mesa-dev] [PATCH v3] intel/decoder: fix the possible out of bounds group_iter

Mon Sep 3 10:16:56 UTC 2018

Done.

-
Lionel

On 03/09/2018 08:55, andrey simiklit wrote:
> Hi all,
>
> Could somebody push this small patch to mesa?
>
> Regards,
> Andrii.
> On Mon, Aug 20, 2018 at 9:13 PM Lionel Landwerlin 
> <lionel.g.landwerlin at intel.com <mailto:lionel.g.landwerlin at intel.com>> 
> wrote:
>
>     On 20/08/2018 17:20, asimiklit.work at gmail.com
>     <mailto:asimiklit.work at gmail.com> wrote:
>     > From: Andrii Simiklit <andrii.simiklit at globallogic.com
>     <mailto:andrii.simiklit at globallogic.com>>
>     >
>     > The "gen_group_get_length" function can return a negative value
>     > and it can lead to the out of bounds group_iter.
>     >
>     > v2: printing of "unknown command type" was added
>     > v3: just the asserts are added
>     >
>     > Signed-off-by: Andrii Simiklit <andrii.simiklit at globallogic.com
>     <mailto:andrii.simiklit at globallogic.com>>
>
>     Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin at intel.com
>     <mailto:lionel.g.landwerlin at intel.com>>
>
>     Somebody should take a look at the other patches I sent out ;)
>     Thanks!
>
>     -
>     Lionel
>     > ---
>     >   src/intel/common/gen_decoder.c | 5 ++++-
>     >   1 file changed, 4 insertions(+), 1 deletion(-)
>     >
>     > diff --git a/src/intel/common/gen_decoder.c
>     b/src/intel/common/gen_decoder.c
>     > index ec0a486..2d9609a 100644
>     > --- a/src/intel/common/gen_decoder.c
>     > +++ b/src/intel/common/gen_decoder.c
>     > @@ -803,8 +803,10 @@ static bool
>     >   iter_more_groups(const struct gen_field_iterator *iter)
>     >   {
>     >      if (iter->group->variable) {
>     > +      int length = gen_group_get_length(iter->group, iter->p);
>     > +      assert(length >= 0 && "error the length is unknown!");
>     >         return iter_group_offset_bits(iter, iter->group_iter + 1) <
>     > - (gen_group_get_length(iter->group, iter->p) * 32);
>     > +              (length * 32);
>     >      } else {
>     >         return (iter->group_iter + 1) < iter->group->group_count ||
>     >            iter->group->next != NULL;
>     > @@ -991,6 +993,7 @@ gen_field_iterator_init(struct
>     gen_field_iterator *iter,
>     >      iter->p_bit = p_bit;
>     >
>     >      int length = gen_group_get_length(iter->group, iter->p);
>     > +   assert(length >= 0 && "error the length is unknown!");
>     >      iter->p_end = length > 0 ? &p[length] : NULL;
>     >      iter->print_colors = print_colors;
>     >   }
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20180903/e054a732/attachment-0001.html>