fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-05-06 09:28:07 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

nv50,nvc0: Avoid uninitialized cbuf reads in blits
Some checks are pending
macOS-CI / macOS-CI (dri) (push) Waiting to run
Details
macOS-CI / macOS-CI (xlib) (push) Waiting to run
Details

Browse source 
Overwrite the whole framebuffer cbuf rather than copying it from the
stack; fixes util_framebuffer_get_num_samples getting uninitialized
stack contents during validation.

Suggested-by: Karol Herbst <kherbst@redhat.com>
Reviewed-by: Karol Herbst <kherbst@redhat.com>
Signed-off-by: Alyssa Milburn <amilburn@zall.org>
Fixes: 2eb45daa9c ("gallium: de-pointerize pipe_surface")
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/14082
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39138>
This commit is contained in:
Alyssa Milburn 2026-01-03 22:06:10 +01:00 committed by Marge Bot
parent 32bd3a6e4e
commit a6992c7bbe
2 changed files with 24 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
src/gallium/drivers/nouveau/nv50/nv50_surface.c
View file

@ -1096,26 +1096,26 @@ nv50_blit_set_dst(struct nv50_blitctx *ctx,
{
struct nv50_context *nv50 = ctx->nv50;
struct pipe_context *pipe = &nv50->base.pipe;
struct pipe_surface templ;
/* We are going to reset this, so no point in refcounting */
templ.texture = res;
if (util_format_is_depth_or_stencil(format))
templ.format = nv50_blit_zeta_to_colour_format(format);
else
templ.format = format;
format = nv50_blit_zeta_to_colour_format(format);
templ.level = level;
templ.first_layer = templ.last_layer = layer;
/* this will be overwritten (not released) at the end of the blit */
nv50->framebuffer.cbufs[0] = (struct pipe_surface) {
.texture = res,
.format = format,
.level = level,
.first_layer = layer,
.last_layer = layer,
};
if (layer == -1) {
templ.first_layer = 0;
templ.last_layer =
nv50->framebuffer.cbufs[0].first_layer = 0;
nv50->framebuffer.cbufs[0].last_layer =
(res->target == PIPE_TEXTURE_3D ? res->depth0 : res->array_size) - 1;
}
nv50->fb_cbufs[0] = nv50_miptree_surface_new(pipe, res, &templ);
nv50->framebuffer.cbufs[0] = templ;
nv50->fb_cbufs[0] = nv50_miptree_surface_new(pipe, res, &nv50->framebuffer.cbufs[0]);
nv50->framebuffer.nr_cbufs = 1;
memset(&nv50->framebuffer.zsbuf, 0, sizeof(nv50->framebuffer.zsbuf));
nv50->fb_zsbuf = NULL;

24
src/gallium/drivers/nouveau/nvc0/nvc0_surface.c
View file

@ -963,26 +963,26 @@ nvc0_blit_set_dst(struct nvc0_blitctx *ctx,
{
struct nvc0_context *nvc0 = ctx->nvc0;
struct pipe_context *pipe = &nvc0->base.pipe;
struct pipe_surface templ;
/* We are going to reset this, so no point in refcounting */
templ.texture = res;
if (util_format_is_depth_or_stencil(format))
templ.format = nv50_blit_zeta_to_colour_format(format);
else
templ.format = format;
format = nv50_blit_zeta_to_colour_format(format);
templ.level = level;
templ.first_layer = templ.last_layer = layer;
/* this will be overwritten (not released) at the end of the blit */
nvc0->framebuffer.cbufs[0] = (struct pipe_surface) {
.texture = res,
.format = format,
.level = level,
.first_layer = layer,
.last_layer = layer,
};
if (layer == -1) {
templ.first_layer = 0;
templ.last_layer =
nvc0->framebuffer.cbufs[0].first_layer = 0;
nvc0->framebuffer.cbufs[0].last_layer =
(res->target == PIPE_TEXTURE_3D ? res->depth0 : res->array_size) - 1;
}
nvc0->framebuffer.cbufs[0] = templ;
nvc0->fb_cbufs[0] = nvc0_miptree_surface_new(pipe, res, &templ);
nvc0->fb_cbufs[0] = nvc0_miptree_surface_new(pipe, res, &nvc0->framebuffer.cbufs[0]);
nvc0->framebuffer.nr_cbufs = 1;
memset(&nvc0->framebuffer.zsbuf, 0, sizeof(nvc0->framebuffer.zsbuf));
pipe_surface_size(&nvc0->framebuffer.cbufs[0], &nvc0->framebuffer.width, &nvc0->framebuffer.height);