[Mesa-dev] [PATCH v3] intel/decoder: fix the possible out of bounds group_iter
andrey simiklit
asimiklit.work at gmail.com
Mon Sep 3 10:20:38 UTC 2018
Hi,
Thanks a lot.
Regards,
Andrii.
On Mon, Sep 3, 2018 at 1:16 PM Lionel Landwerlin <
lionel.g.landwerlin at intel.com> wrote:
> Done.
>
> -
> Lionel
>
> On 03/09/2018 08:55, andrey simiklit wrote:
>
> Hi all,
>
> Could somebody push this small patch to mesa?
>
> Regards,
> Andrii.
> On Mon, Aug 20, 2018 at 9:13 PM Lionel Landwerlin <
> lionel.g.landwerlin at intel.com> wrote:
>
>> On 20/08/2018 17:20, asimiklit.work at gmail.com wrote:
>> > From: Andrii Simiklit <andrii.simiklit at globallogic.com>
>> >
>> > The "gen_group_get_length" function can return a negative value
>> > and it can lead to the out of bounds group_iter.
>> >
>> > v2: printing of "unknown command type" was added
>> > v3: just the asserts are added
>> >
>> > Signed-off-by: Andrii Simiklit <andrii.simiklit at globallogic.com>
>>
>> Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin at intel.com>
>>
>> Somebody should take a look at the other patches I sent out ;)
>> Thanks!
>>
>> -
>> Lionel
>> > ---
>> > src/intel/common/gen_decoder.c | 5 ++++-
>> > 1 file changed, 4 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/src/intel/common/gen_decoder.c
>> b/src/intel/common/gen_decoder.c
>> > index ec0a486..2d9609a 100644
>> > --- a/src/intel/common/gen_decoder.c
>> > +++ b/src/intel/common/gen_decoder.c
>> > @@ -803,8 +803,10 @@ static bool
>> > iter_more_groups(const struct gen_field_iterator *iter)
>> > {
>> > if (iter->group->variable) {
>> > + int length = gen_group_get_length(iter->group, iter->p);
>> > + assert(length >= 0 && "error the length is unknown!");
>> > return iter_group_offset_bits(iter, iter->group_iter + 1) <
>> > - (gen_group_get_length(iter->group, iter->p) * 32);
>> > + (length * 32);
>> > } else {
>> > return (iter->group_iter + 1) < iter->group->group_count ||
>> > iter->group->next != NULL;
>> > @@ -991,6 +993,7 @@ gen_field_iterator_init(struct gen_field_iterator
>> *iter,
>> > iter->p_bit = p_bit;
>> >
>> > int length = gen_group_get_length(iter->group, iter->p);
>> > + assert(length >= 0 && "error the length is unknown!");
>> > iter->p_end = length > 0 ? &p[length] : NULL;
>> > iter->print_colors = print_colors;
>> > }
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20180903/9c0841ac/attachment.html>
More information about the mesa-dev
mailing list