From bf2ec0fc51b4c5c5287adaa4032819e500d51c72 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 29 Jul 2023 19:12:09 +0200 Subject: [PATCH] asahi,agx: Fix stack buffer overflow in agx_link_varyings_vs_fs Discovered while running dEQP-EGL under address sanitizer. Fixes: f3877f56ba7 ("asahi,agx: Rewrite varying linking") Signed-off-by: Janne Grunau Part-of: (cherry picked from commit 3f8894b0f7c32856a868e255445610ee82efdf70) --- .pick_status.json | 2 +- src/gallium/drivers/asahi/agx_state.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index 1860f36311e..b700d9151a6 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -2146,7 +2146,7 @@ "description": "asahi,agx: Fix stack buffer overflow in agx_link_varyings_vs_fs", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "f3877f56ba7915ee6bc6866c0f4dc21881a3f5fb" }, diff --git a/src/gallium/drivers/asahi/agx_state.c b/src/gallium/drivers/asahi/agx_state.c index 52eba19709f..203b0145a0e 100644 --- a/src/gallium/drivers/asahi/agx_state.c +++ b/src/gallium/drivers/asahi/agx_state.c @@ -1367,8 +1367,8 @@ agx_link_varyings_vs_fs(struct agx_pool *pool, struct agx_varyings_vs *vs, /* I don't understand why the data structures are repeated thrice */ for (unsigned i = 0; i < 3; ++i) { - memcpy(((uint8_t *)ptr.cpu) + (i * linkage_size), - ((uint8_t *)tmp) + (i * linkage_size), linkage_size); + memcpy(((uint8_t *)ptr.cpu) + (i * linkage_size), (uint8_t *)tmp, + linkage_size); } return ptr.gpu;