fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-06-03 19:48:17 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

i915: fix emit_hw_vertex() unbounded memory access

Browse source 
This change adds the DRAW_ATTR_NONEXIST functionality
which fixes the memory access issue.

For instance, this issue is triggered with "piglit/bin/glsl-routing -auto -fbo":
==8384==ERROR: AddressSanitizer: heap-use-after-free on address 0xa11dfd84 at pc 0xae573fbd bp 0xbf87f688 sp 0xbf87f67c
READ of size 4 at 0xa11dfd84 thread T0
    #0 0xae573fbc in emit_hw_vertex ../src/gallium/drivers/i915/i915_prim_emit.c:92
    #1 0xae574ab0 in emit_prim ../src/gallium/drivers/i915/i915_prim_emit.c:154
    #2 0xae574ab0 in setup_tri ../src/gallium/drivers/i915/i915_prim_emit.c:160
    #3 0xad65d322 in do_triangle ../src/gallium/auxiliary/draw/draw_pipe.c:173
    #4 0xad65d322 in pipe_run_linear ../src/gallium/auxiliary/draw/draw_decompose_tmp.h:181
    #5 0xad663375 in draw_pipeline_run_linear ../src/gallium/auxiliary/draw/draw_pipe.c:337
    #6 0xad86d9ac in pipeline ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:476
    #7 0xad86d9ac in llvm_pipeline_generic ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:701
    #8 0xad86ed75 in llvm_middle_end_linear_run ../src/gallium/auxiliary/draw/draw_pt_fetch_shade_pipeline_llvm.c:784
    #9 0xad6aaaee in vsplit_segment_simple_linear ../src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h:223
    #10 0xad6aaaee in vsplit_run_linear ../src/gallium/auxiliary/draw/draw_split_tmp.h:64
    #11 0xad68a74b in draw_pt_arrays ../src/gallium/auxiliary/draw/draw_pt.c:161
    #12 0xad68b7ca in draw_pt_arrays_restart ../src/gallium/auxiliary/draw/draw_pt.c:430
    #13 0xad68b7ca in draw_instances ../src/gallium/auxiliary/draw/draw_pt.c:491
    #14 0xad68ce0a in draw_vbo ../src/gallium/auxiliary/draw/draw_pt.c:628
    #15 0xae5651d4 in i915_draw_vbo ../src/gallium/drivers/i915/i915_context.c:115
    #16 0xae5651d4 in i915_draw_vbo ../src/gallium/drivers/i915/i915_context.c:51
    #17 0xac7f50d3 in _mesa_draw_arrays ../src/mesa/main/draw.c:1204

Fixes: 247cee92df ("i915g: replace "uint" with normal uint32_t.")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27571>
This commit is contained in:
Patrick Lerda 2024-02-09 12:51:36 +01:00 committed by Marge Bot
parent d1af3d95c7
commit ea54dea3a4
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/gallium/drivers/i915/i915_prim_emit.c
View file

@ -70,8 +70,10 @@ emit_hw_vertex(struct i915_context *i915, const struct vertex_header *vertex)
assert(!i915->dirty);
for (i = 0; i < vinfo->num_attribs; i++) {
static const float zeros[4] = {0., 0., 0., 0.};
const uint32_t j = vinfo->attrib[i].src_index;
const float *attrib = vertex->data[j];
const float *attrib =
likely(j != DRAW_ATTR_NONEXIST) ? vertex->data[j] : zeros;
switch (vinfo->attrib[i].emit) {
case EMIT_1F:
OUT_BATCH(fui(attrib[0]));