[Mesa-stable] [PATCHv2 3/4] i965: Handle non-zero texture buffer offsets in buffer object range calculation.

Francisco Jerez currojerez at riseup.net
Tue May 22 00:32:09 UTC 2018


Otherwise the specified surface state will allow the GPU to access
memory up to BufferOffset bytes past the end of the buffer.  Found by
inspection.

v2: Protect against out-of-range BufferOffset (Nanley).
Cc: mesa-stable at lists.freedesktop.org
---
 src/mesa/drivers/dri/i965/brw_wm_surface_state.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c
index af629a17bfa..39e898243db 100644
--- a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c
+++ b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c
@@ -647,6 +647,7 @@ buffer_texture_range_size(struct brw_context *brw,
    const unsigned texel_size = _mesa_get_format_bytes(obj->_BufferObjectFormat);
    const unsigned buffer_size = (!obj->BufferObject ? 0 :
                                  obj->BufferObject->Size);
+   const unsigned buffer_offset = MIN2(buffer_size, obj->BufferOffset);
 
    /* The ARB_texture_buffer_specification says:
     *
@@ -664,7 +665,8 @@ buffer_texture_range_size(struct brw_context *brw,
     * so that when ISL divides by stride to obtain the number of texels, that
     * texel count is clamped to MAX_TEXTURE_BUFFER_SIZE.
     */
-   return MIN3((unsigned)obj->BufferSize, buffer_size,
+   return MIN3((unsigned)obj->BufferSize,
+               buffer_size - buffer_offset,
                brw->ctx.Const.MaxTextureBufferSize * texel_size);
 }
 
-- 
2.16.1



More information about the mesa-stable mailing list