From 4a2273eb8b4d42062458d5a9ef5ee4bb6b52eb76 Mon Sep 17 00:00:00 2001
From: Caio Oliveira <caio.oliveira@intel.com>
Date: Tue, 26 Aug 2025 15:17:47 -0700
Subject: [PATCH] util: Avoid invalid access in ralloc_print_info()

Check if allocation is large enough to hold the
linear and gc contexts before probing for them.

Fixes: 7b5b1642815 ("util: Add function print information about a ralloc tree")
Acked-by: Eric R. Smith <eric.smith@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/37017>
(cherry picked from commit 62815cc91fee45ca11a0d36a6425fd88f975fa90)
---
 .pick_status.json |  2 +-
 src/util/ralloc.c | 13 +++++++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index 471691be61b..d5955d92963 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -8114,7 +8114,7 @@
         "description": "util: Avoid invalid access in ralloc_print_info()",
         "nominated": true,
         "nomination_type": 2,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "7b5b1642815dc7e74a7f90d89a7d46fde4ace19a",
         "notes": null
diff --git a/src/util/ralloc.c b/src/util/ralloc.c
index 659288922f3..ba560c8387a 100644
--- a/src/util/ralloc.c
+++ b/src/util/ralloc.c
@@ -1383,14 +1383,19 @@ ralloc_print_info_helper(ralloc_print_info_state *state, const ralloc_header *in
    const linear_ctx *lin_ctx = ptr;
    const gc_ctx *gc_ctx = ptr;
 
-   if (lin_ctx->magic == LMAGIC_CONTEXT) {
+   const bool is_linear = info->size >= sizeof(*lin_ctx) &&
+                          lin_ctx->magic == LMAGIC_CONTEXT;
+   const bool is_gc = info->size >= sizeof(*gc_ctx) &&
+                      gc_ctx->canary == GC_CONTEXT_CANARY;
+
+   if (is_linear) {
       if (f) fprintf(f, " (linear context)");
       assert(!state->inside_gc && !state->inside_linear);
       state->inside_linear = true;
       state->linear_metadata_bytes += sizeof(linear_ctx);
       state->content_bytes -= sizeof(linear_ctx);
       state->linear_count++;
-   } else if (gc_ctx->canary == GC_CONTEXT_CANARY) {
+   } else if (is_gc) {
       if (f) fprintf(f, " (gc context)");
       assert(!state->inside_gc && !state->inside_linear);
       state->inside_gc = true;
@@ -1421,8 +1426,8 @@ ralloc_print_info_helper(ralloc_print_info_state *state, const ralloc_header *in
    state->indent -= 2;
 
 #ifndef NDEBUG
-   if (lin_ctx->magic == LMAGIC_CONTEXT) state->inside_linear = false;
-   else if (gc_ctx->canary == GC_CONTEXT_CANARY) state->inside_gc = false;
+   if (is_linear) state->inside_linear = false;
+   else if (is_gc) state->inside_gc = false;
 #endif
 }