fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-01-05 02:30:18 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

i965: Fix out-of-bounds access to brw_stage_state::surf_offset

Browse source 
../src/mesa/drivers/dri/i965/brw_wm_surface_state.c:1378:32: runtime error: index 3503345872 out of bounds for type 'uint32_t [149]'

brw_assign_common_binding_table_offsets has the following comment:
 "Unused groups are initialized to 0xd0d0d0d0 to make it obvious that they're
 unused but also make sure that addition of small offsets to them will
 trigger some of our asserts that surface indices are < BRW_MAX_SURFACES."

Cc: <mesa-stable@lists.freedesktop.org>
Signed-off-by: Danylo Piliaiev <danylo.piliaiev@globallogic.com>
Reviewed-by: Caio Marcelo de Oliveira Filho <caio.oliveira@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/4350>
(cherry picked from commit 784358bd6e)
This commit is contained in:
Danylo Piliaiev 2020-03-27 16:55:52 +02:00 committed by Dylan Baker
parent 640f810f95
commit 7d00190859
2 changed files with 28 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.pick_status.json
View file

@ -67,7 +67,7 @@
"description": "i965: Fix out-of-bounds access to brw_stage_state::surf_offset",
"nominated": true,
"nomination_type": 0,
"resolution": 0,
"resolution": 1,
"master_sha": null,
"because_sha": null
},

48
src/mesa/drivers/dri/i965/brw_wm_surface_state.c
View file

@ -1364,33 +1364,39 @@ brw_upload_ubo_surfaces(struct brw_context *brw, struct gl_program *prog,
prog->info.num_abos == 0))
return;
uint32_t *ubo_surf_offsets =
&stage_state->surf_offset[prog_data->binding_table.ubo_start];
if (prog->info.num_ubos) {
assert(prog_data->binding_table.ubo_start < BRW_MAX_SURFACES);
uint32_t *ubo_surf_offsets =
&stage_state->surf_offset[prog_data->binding_table.ubo_start];
for (int i = 0; i < prog->info.num_ubos; i++) {
struct gl_buffer_binding *binding =
&ctx->UniformBufferBindings[prog->sh.UniformBlocks[i]->Binding];
upload_buffer_surface(brw, binding, &ubo_surf_offsets[i],
ISL_FORMAT_R32G32B32A32_FLOAT, 0);
for (int i = 0; i < prog->info.num_ubos; i++) {
struct gl_buffer_binding *binding =
&ctx->UniformBufferBindings[prog->sh.UniformBlocks[i]->Binding];
upload_buffer_surface(brw, binding, &ubo_surf_offsets[i],
ISL_FORMAT_R32G32B32A32_FLOAT, 0);
}
}
uint32_t *ssbo_surf_offsets =
&stage_state->surf_offset[prog_data->binding_table.ssbo_start];
uint32_t *abo_surf_offsets = ssbo_surf_offsets + prog->info.num_ssbos;
if (prog->info.num_ssbos || prog->info.num_abos) {
assert(prog_data->binding_table.ssbo_start < BRW_MAX_SURFACES);
uint32_t *ssbo_surf_offsets =
&stage_state->surf_offset[prog_data->binding_table.ssbo_start];
uint32_t *abo_surf_offsets = ssbo_surf_offsets + prog->info.num_ssbos;
for (int i = 0; i < prog->info.num_abos; i++) {
struct gl_buffer_binding *binding =
&ctx->AtomicBufferBindings[prog->sh.AtomicBuffers[i]->Binding];
upload_buffer_surface(brw, binding, &abo_surf_offsets[i],
ISL_FORMAT_RAW, RELOC_WRITE);
}
for (int i = 0; i < prog->info.num_abos; i++) {
struct gl_buffer_binding *binding =
&ctx->AtomicBufferBindings[prog->sh.AtomicBuffers[i]->Binding];
upload_buffer_surface(brw, binding, &abo_surf_offsets[i],
ISL_FORMAT_RAW, RELOC_WRITE);
}
for (int i = 0; i < prog->info.num_ssbos; i++) {
struct gl_buffer_binding *binding =
&ctx->ShaderStorageBufferBindings[prog->sh.ShaderStorageBlocks[i]->Binding];
for (int i = 0; i < prog->info.num_ssbos; i++) {
struct gl_buffer_binding *binding =
&ctx->ShaderStorageBufferBindings[prog->sh.ShaderStorageBlocks[i]->Binding];
upload_buffer_surface(brw, binding, &ssbo_surf_offsets[i],
ISL_FORMAT_RAW, RELOC_WRITE);
upload_buffer_surface(brw, binding, &ssbo_surf_offsets[i],
ISL_FORMAT_RAW, RELOC_WRITE);
}
}
stage_state->push_constants_dirty = true;