fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2025-12-24 04:30:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

intel/decoder: fix the possible out of bounds group_iter

Browse source 
The "gen_group_get_length" function can return a negative value
and it can lead to the out of bounds group_iter.

v2: printing of "unknown command type" was added
v3: just the asserts are added

Signed-off-by: Andrii Simiklit <andrii.simiklit@globallogic.com>
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
This commit is contained in:
Andrii Simiklit 2018-08-20 19:20:59 +03:00 committed by Lionel Landwerlin
parent 233718a199
commit 095600dad6
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/intel/common/gen_decoder.c
View file

@ -804,8 +804,10 @@ static bool
iter_more_groups(const struct gen_field_iterator *iter)
{
if (iter->group->variable) {
int length = gen_group_get_length(iter->group, iter->p);
assert(length >= 0 && "error the length is unknown!");
return iter_group_offset_bits(iter, iter->group_iter + 1) <
(gen_group_get_length(iter->group, iter->p) * 32);
(length * 32);
} else {
return (iter->group_iter + 1) < iter->group->group_count ||
iter->group->next != NULL;
@ -997,6 +999,7 @@ gen_field_iterator_init(struct gen_field_iterator *iter,
iter->p_bit = p_bit;
int length = gen_group_get_length(iter->group, iter->p);
assert(length >= 0 && "error the length is unknown!");
iter->p_end = length >= 0 ? &p[length] : NULL;
iter->print_colors = print_colors;
}