From bb8ee5f52dbd0bbfd5121c6860c8357f04ef4b2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcin=20=C5=9Alusarz?= <marcin.slusarz@intel.com>
Date: Wed, 17 Mar 2021 20:01:01 +0100
Subject: [PATCH] intel/batch_decoder: catch invalid sampler state pointer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marcin Ślusarz <marcin.slusarz@intel.com>
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/9707>
---
 src/intel/common/intel_batch_decoder.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/intel/common/intel_batch_decoder.c b/src/intel/common/intel_batch_decoder.c
index dc41dd7329a..acbaabc720a 100644
--- a/src/intel/common/intel_batch_decoder.c
+++ b/src/intel/common/intel_batch_decoder.c
@@ -350,11 +350,18 @@ dump_samplers(struct intel_batch_decode_ctx *ctx, uint32_t offset, int count)
       return;
    }
 
+   const unsigned sampler_state_size = strct->dw_length * 4;
+
+   if (count * sampler_state_size >= bo.size) {
+      fprintf(ctx->fp, "  sampler state ends after bo ends\n");
+      return;
+   }
+
    for (int i = 0; i < count; i++) {
       fprintf(ctx->fp, "sampler state %d\n", i);
       ctx_print_group(ctx, strct, state_addr, state_map);
-      state_addr += 16;
-      state_map += 16;
+      state_addr += sampler_state_size;
+      state_map += sampler_state_size;
    }
 }