diff options
| author | Chris Wilson <chris@chris-wilson.co.uk> | 2011-09-30 22:10:33 +0100 |
|---|---|---|
| committer | Ian Romanick <ian.d.romanick@intel.com> | 2011-10-14 17:28:45 -0700 |
| commit | 5b09cf5c574d74ef362fcb32ecf0a72a746a16fb (patch) | |
| tree | fb1a04e46a2bccdf1087e5bac091b5e2ecc2601d | |
| parent | eb0fd67f6acdd6990981c2322eab7d2fa229f66c (diff) | |
i915: out-of-bounds write in calc_live_regs()
From a Coverity defect report.
src/mesa/drivers/dri/i915/i915_fragprog.c
301 /*
302 * TODO: consider moving this into core
303 */
304 static bool calc_live_regs( struct i915_fragment_program *p )
305 {
306 const struct gl_fragment_program *program = &p->FragProg;
307 GLuint regsUsed = 0xffff0000;
-> 308 uint8_t live_components[16] = { 0, };
309 GLint i;
310
311 for (i = program->Base.NumInstructions - 1; i >= 0; i--) {
312 struct prog_instruction *inst =
&program->Base.Instructions[i];
313 int opArgs = _mesa_num_inst_src_regs(inst->Opcode);
314 int a;
315
316 /* Register is written to: unmark as live for this and
preceeding ops */
317 if (inst->DstReg.File == PROGRAM_TEMPORARY) {
-> 318 if (inst->DstReg.Index > 16)
319 return false;
320
-> 321 live_components[inst->DstReg.Index] &= ~inst->DstReg.WriteMask;
322 if (live_components[inst->DstReg.Index] == 0)
323 regsUsed &= ~(1 << inst->DstReg.Index);
324 }
325
326 for (a = 0; a < opArgs; a++) {
327 /* Register is read from: mark as live for this and preceeding ops */
328 if (inst->SrcReg[a].File == PROGRAM_TEMPORARY) {
329 unsigned c;
330
331 if (inst->SrcReg[a].Index > 16)
332 return false;
333
334 regsUsed |= 1 << inst->SrcReg[a].Index;
335
336 for (c = 0; c < 4; c++) {
337 const unsigned field = GET_SWZ(inst->SrcReg[a].Swizzle, c);
338
339 if (field <= SWIZZLE_W)
340 live_components[inst->SrcReg[a].Index] |= (1U << field);
341 }
342 }
343 }
344
345 p->usedRegs[i] = regsUsed;
346 }
Reported-by: Vinson Lee <vlee@vmware.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=40022
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
(cherry picked from commit 67582e6eef789324b527b4753065aea366145f4e)
| -rw-r--r-- | src/mesa/drivers/dri/i915/i915_fragprog.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/mesa/drivers/dri/i915/i915_fragprog.c b/src/mesa/drivers/dri/i915/i915_fragprog.c index 32050cebf33..e1658fc42d4 100644 --- a/src/mesa/drivers/dri/i915/i915_fragprog.c +++ b/src/mesa/drivers/dri/i915/i915_fragprog.c @@ -306,8 +306,8 @@ do { \ static bool calc_live_regs( struct i915_fragment_program *p ) { const struct gl_fragment_program *program = &p->FragProg; - GLuint regsUsed = 0xffff0000; - uint8_t live_components[16] = { 0, }; + GLuint regsUsed = ~((1 << I915_MAX_TEMPORARY) - 1); + uint8_t live_components[I915_MAX_TEMPORARY] = { 0, }; GLint i; for (i = program->Base.NumInstructions - 1; i >= 0; i--) { @@ -317,7 +317,7 @@ static bool calc_live_regs( struct i915_fragment_program *p ) /* Register is written to: unmark as live for this and preceeding ops */ if (inst->DstReg.File == PROGRAM_TEMPORARY) { - if (inst->DstReg.Index > 16) + if (inst->DstReg.Index >= I915_MAX_TEMPORARY) return false; live_components[inst->DstReg.Index] &= ~inst->DstReg.WriteMask; @@ -330,7 +330,7 @@ static bool calc_live_regs( struct i915_fragment_program *p ) if (inst->SrcReg[a].File == PROGRAM_TEMPORARY) { unsigned c; - if (inst->SrcReg[a].Index > 16) + if (inst->SrcReg[a].Index >= I915_MAX_TEMPORARY) return false; regsUsed |= 1 << inst->SrcReg[a].Index; |