fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2025-12-28 10:20:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

i965: Fix out-of-bounds access to brw_stage_state::surf_offset

Browse source 
../src/mesa/drivers/dri/i965/brw_wm_surface_state.c:1378:32: runtime error: index 3503345872 out of bounds for type 'uint32_t [149]'

brw_assign_common_binding_table_offsets has the following comment:
 "Unused groups are initialized to 0xd0d0d0d0 to make it obvious that they're
 unused but also make sure that addition of small offsets to them will
 trigger some of our asserts that surface indices are < BRW_MAX_SURFACES."

Cc: <mesa-stable@lists.freedesktop.org>
Signed-off-by: Danylo Piliaiev <danylo.piliaiev@globallogic.com>
Reviewed-by: Caio Marcelo de Oliveira Filho <caio.oliveira@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/4350>
This commit is contained in:
Danylo Piliaiev 2020-03-27 16:55:52 +02:00 committed by Marge Bot
parent 7f6a491eec
commit 784358bd6e
1 changed files with 27 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
src/mesa/drivers/dri/i965/brw_wm_surface_state.c
View file

@ -1362,33 +1362,39 @@ brw_upload_ubo_surfaces(struct brw_context *brw, struct gl_program *prog,
prog->info.num_abos == 0))
return;
uint32_t *ubo_surf_offsets =
&stage_state->surf_offset[prog_data->binding_table.ubo_start];
if (prog->info.num_ubos) {
assert(prog_data->binding_table.ubo_start < BRW_MAX_SURFACES);
uint32_t *ubo_surf_offsets =
&stage_state->surf_offset[prog_data->binding_table.ubo_start];
for (int i = 0; i < prog->info.num_ubos; i++) {
struct gl_buffer_binding *binding =
&ctx->UniformBufferBindings[prog->sh.UniformBlocks[i]->Binding];
upload_buffer_surface(brw, binding, &ubo_surf_offsets[i],
ISL_FORMAT_R32G32B32A32_FLOAT, 0);
for (int i = 0; i < prog->info.num_ubos; i++) {
struct gl_buffer_binding *binding =
&ctx->UniformBufferBindings[prog->sh.UniformBlocks[i]->Binding];
upload_buffer_surface(brw, binding, &ubo_surf_offsets[i],
ISL_FORMAT_R32G32B32A32_FLOAT, 0);
}
}
uint32_t *ssbo_surf_offsets =
&stage_state->surf_offset[prog_data->binding_table.ssbo_start];
uint32_t *abo_surf_offsets = ssbo_surf_offsets + prog->info.num_ssbos;
if (prog->info.num_ssbos || prog->info.num_abos) {
assert(prog_data->binding_table.ssbo_start < BRW_MAX_SURFACES);
uint32_t *ssbo_surf_offsets =
&stage_state->surf_offset[prog_data->binding_table.ssbo_start];
uint32_t *abo_surf_offsets = ssbo_surf_offsets + prog->info.num_ssbos;
for (int i = 0; i < prog->info.num_abos; i++) {
struct gl_buffer_binding *binding =
&ctx->AtomicBufferBindings[prog->sh.AtomicBuffers[i]->Binding];
upload_buffer_surface(brw, binding, &abo_surf_offsets[i],
ISL_FORMAT_RAW, RELOC_WRITE);
}
for (int i = 0; i < prog->info.num_abos; i++) {
struct gl_buffer_binding *binding =
&ctx->AtomicBufferBindings[prog->sh.AtomicBuffers[i]->Binding];
upload_buffer_surface(brw, binding, &abo_surf_offsets[i],
ISL_FORMAT_RAW, RELOC_WRITE);
}
for (int i = 0; i < prog->info.num_ssbos; i++) {
struct gl_buffer_binding *binding =
&ctx->ShaderStorageBufferBindings[prog->sh.ShaderStorageBlocks[i]->Binding];
for (int i = 0; i < prog->info.num_ssbos; i++) {
struct gl_buffer_binding *binding =
&ctx->ShaderStorageBufferBindings[prog->sh.ShaderStorageBlocks[i]->Binding];
upload_buffer_surface(brw, binding, &ssbo_surf_offsets[i],
ISL_FORMAT_RAW, RELOC_WRITE);
upload_buffer_surface(brw, binding, &ssbo_surf_offsets[i],
ISL_FORMAT_RAW, RELOC_WRITE);
}
}
stage_state->push_constants_dirty = true;