diff options
| author | Chad Versace <chad.versace@linux.intel.com> | 2014-12-22 15:58:48 -0600 |
|---|---|---|
| committer | Emil Velikov <emil.l.velikov@gmail.com> | 2015-01-04 21:19:14 +0000 |
| commit | 71cd8f1388a2ab9faef5921841686a13cc57e102 (patch) | |
| tree | ca5b66b6b9dcd536916ae988ad39cd38133e2460 | |
| parent | 87017f210d519b7bb460dbcb0bb814212969ffff (diff) | |
i965: Use safer pointer arithmetic in intel_texsubimage_tiled_memcpy()
This patch reduces the likelihood of pointer arithmetic overflow bugs in
intel_texsubimage_tiled_memcpy() , like the one fixed by b69c7c5dac.
I haven't yet encountered any overflow bugs in the wild along this
patch's codepath. But I recently solved, in commit b69c7c5dac, an overflow
bug in a line of code that looks very similar to pointer arithmetic in
this function.
This patch conceptually applies the same fix as in b69c7c5dac. Instead
of retyping the variables, though, this patch adds some casts. (I tried
to retype the variables as ptrdiff_t, but it quickly got very messy. The
casts are cleaner).
Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
Signed-off-by: Chad Versace <chad.versace@linux.intel.com>
(cherry picked from commit 225a09790da0b1605a0b68acbbe1e0f30eee3e6f)
| -rw-r--r-- | src/mesa/drivers/dri/i965/intel_tex_subimage.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/mesa/drivers/dri/i965/intel_tex_subimage.c b/src/mesa/drivers/dri/i965/intel_tex_subimage.c index a121816dcec..511b7b2f410 100644 --- a/src/mesa/drivers/dri/i965/intel_tex_subimage.c +++ b/src/mesa/drivers/dri/i965/intel_tex_subimage.c @@ -494,8 +494,8 @@ linear_to_tiled(uint32_t xt1, uint32_t xt2, /* Translate by (xt,yt) for single-tile copier. */ tile_copy(x0-xt, x1-xt, x2-xt, x3-xt, y0-yt, y1-yt, - dst + xt * th + yt * dst_pitch, - src + xt + yt * src_pitch, + dst + (ptrdiff_t) xt * th + (ptrdiff_t) yt * dst_pitch, + src + (ptrdiff_t) xt + (ptrdiff_t) yt * src_pitch, src_pitch, swizzle_bit, mem_copy); @@ -660,7 +660,8 @@ intel_texsubimage_tiled_memcpy(struct gl_context * ctx, linear_to_tiled( xoffset * cpp, (xoffset + width) * cpp, yoffset, yoffset + height, - bo->virtual, pixels - yoffset * src_pitch - xoffset * cpp, + bo->virtual, + pixels - (ptrdiff_t) yoffset * src_pitch - (ptrdiff_t) xoffset * cpp, image->mt->pitch, src_pitch, brw->has_swizzling, image->mt->tiling, |