From 9c1ab9609cf4506684d533a967e4694c9be7873e Mon Sep 17 00:00:00 2001 From: Francisco Jerez Date: Fri, 16 Mar 2018 14:35:10 -0700 Subject: [PATCH] i965: Handle non-zero texture buffer offsets in buffer object range calculation. Otherwise the specified surface state will allow the GPU to access memory up to BufferOffset bytes past the end of the buffer. Found by inspection. v2: Protect against out-of-range BufferOffset (Nanley). Cc: mesa-stable@lists.freedesktop.org Reviewed-by: Nanley Chery (cherry picked from commit e989acb03ba802737f762627dd16ac1d0b9f0d13) --- src/mesa/drivers/dri/i965/brw_wm_surface_state.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c index 692e5db91db..a65541e34df 100644 --- a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c +++ b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c @@ -645,6 +645,7 @@ buffer_texture_range_size(struct brw_context *brw, const unsigned texel_size = _mesa_get_format_bytes(obj->_BufferObjectFormat); const unsigned buffer_size = (!obj->BufferObject ? 0 : obj->BufferObject->Size); + const unsigned buffer_offset = MIN2(buffer_size, obj->BufferOffset); /* The ARB_texture_buffer_specification says: * @@ -662,7 +663,8 @@ buffer_texture_range_size(struct brw_context *brw, * so that when ISL divides by stride to obtain the number of texels, that * texel count is clamped to MAX_TEXTURE_BUFFER_SIZE. */ - return MIN3((unsigned)obj->BufferSize, buffer_size, + return MIN3((unsigned)obj->BufferSize, + buffer_size - buffer_offset, brw->ctx.Const.MaxTextureBufferSize * texel_size); }