<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Feb 15, 2018 at 7:42 AM, Daniel Stone <<a href="mailto:daniels@collabora.com" target="_blank">daniels@collabora.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The previous commit reworked the checks intel_from_planar() to check the right individual cases for regular/planar/aux buffers, and do size checks in all cases. Unfortunately, the aux size check was broken, and required the aux surface to be allocated with the correct aux stride, but full image height (!). As the ISL aux surface is not recorded in the DRIimage, we cannot easily access it to check. Instead, store the aux size from when we do have the ISL surface to hand, and check against that later when we go to access the aux surface. Signed-off-by: Daniel Stone <<a href="mailto:daniels@collabora.com">daniels@collabora.com</a>> Fixes: c2c4e5bae3ba ("i965: Fix bugs in intel_from_planar") Cc: Jason Ekstrand <<a href="mailto:jason@jlekstrand.net">jason@jlekstrand.net</a>> --- src/mesa/drivers/dri/i965/intel_image.h | 3 +++ src/mesa/drivers/dri/i965/intel_screen.c | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/mesa/drivers/dri/i965/intel_image.h b/src/mesa/drivers/dri/i965/intel_image.h index 78d689a11a3..a8193c6def9 100644 --- a/src/mesa/drivers/dri/i965/intel_image.h +++ b/src/mesa/drivers/dri/i965/intel_image.h @@ -98,6 +98,9 @@ struct __DRIimageRec { /** Pitch of the auxiliary compression surface. */ uint32_t aux_pitch; + /** Total size in bytes of the auxiliary compression surface. */ + uint32_t aux_size; + /** * Provided by EGL_EXT_image_dma_buf_import. * \{ diff --git a/src/mesa/drivers/dri/i965/intel_screen.c b/src/mesa/drivers/dri/i965/intel_screen.c index 1c0fffa2e96..a21b08e51b1 100644 --- a/src/mesa/drivers/dri/i965/intel_screen.c +++ b/src/mesa/drivers/dri/i965/intel_screen.c @@ -750,6 +750,7 @@ intel_create_image_common(__DRIscreen *dri_screen, if (aux_surf.size) { image->aux_offset = surf.size; image->aux_pitch = aux_surf.row_pitch; + image->aux_size = aux_surf.size; </blockquote><div> </div><div>We also need to do this in create_image_from_fds_common </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> } return image; @@ -1312,7 +1313,7 @@ intel_query_dma_buf_modifiers(__DRIscreen *_screen, int fourcc, int max, static __DRIimage * intel_from_planar(__DRIimage *parent, int plane, void *loaderPrivate) { - int width, height, offset, stride, dri_format; + int width, height, offset, stride, size, dri_format; __DRIimage *image; if (parent == NULL) @@ -1331,24 +1332,27 @@ intel_from_planar(__DRIimage *parent, int plane, void *loaderPrivate) int index = f->planes[plane].buffer_index; offset = parent->offsets[index]; stride = parent->strides[index]; + size = height * stride; } else if (plane == 0) { /* The only plane of a non-planar image: copy the parent definition * directly. */ dri_format = parent->dri_format; offset = parent->offset; stride = parent->pitch; + size = height * stride; } else if (plane == 1 && parent->modifier != DRM_FORMAT_MOD_INVALID && isl_drm_modifier_has_aux(parent->modifier)) { /* Auxiliary plane */ dri_format = parent->dri_format; offset = parent->aux_offset; stride = parent->aux_pitch; + size = parent->aux_size; } else { return NULL; } - if (offset + height * stride > parent->bo->size) { - _mesa_warning(NULL, "intel_create_sub_image: subimage out of bounds"); + if (offset + size > parent->bo->size) { + _mesa_warning(NULL, "intel_from_planar: subimage out of bounds"); return NULL; } -- 2.14.3 </blockquote></div> </div></div>