From 86e749a96e480ef0ea82a94023d8e73966a30047 Mon Sep 17 00:00:00 2001 From: Francisco Jerez Date: Fri, 16 Mar 2018 14:35:10 -0700 Subject: [PATCH] i965: Handle non-zero texture buffer offsets in buffer object range calculation. Otherwise the specified surface state will allow the GPU to access memory up to BufferOffset bytes past the end of the buffer. Found by inspection. v2: Protect against out-of-range BufferOffset (Nanley). Cc: mesa-stable@lists.freedesktop.org Reviewed-by: Nanley Chery (cherry picked from commit e989acb03ba802737f762627dd16ac1d0b9f0d13) --- src/mesa/drivers/dri/i965/brw_wm_surface_state.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c index dd4f3e8a790..1eea8507bfd 100644 --- a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c +++ b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c @@ -610,6 +610,7 @@ buffer_texture_range_size(struct brw_context *brw, const unsigned texel_size = _mesa_get_format_bytes(obj->_BufferObjectFormat); const unsigned buffer_size = (!obj->BufferObject ? 0 : obj->BufferObject->Size); + const unsigned buffer_offset = MIN2(buffer_size, obj->BufferOffset); /* The ARB_texture_buffer_specification says: * @@ -627,7 +628,8 @@ buffer_texture_range_size(struct brw_context *brw, * so that when ISL divides by stride to obtain the number of texels, that * texel count is clamped to MAX_TEXTURE_BUFFER_SIZE. */ - return MIN3((unsigned)obj->BufferSize, buffer_size, + return MIN3((unsigned)obj->BufferSize, + buffer_size - buffer_offset, brw->ctx.Const.MaxTextureBufferSize * texel_size); }