Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
r600: fix r600_draw_vbo() buffer overflow
The previous implementation was copying the data using the aligned length (size_dw). The aligned length could overflow the original buffer size. For instance, this issue is triggered with "piglit/bin/draw-batch -auto -fbo": ==5736==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff139c77e8 at pc 0x7f25b350a9a0 bp 0x7fff139c6cb0 sp 0x7fff139c6460 READ of size 8 at 0x7fff139c77e8 thread T0 #0 0x7f25b350a99f in __interceptor_memcpy (/usr/lib64/libasan.so.6+0x3c99f) #1 0x7f25a8fcdf24 in radeon_emit_array ../src/gallium/include/winsys/radeon_winsys.h:760 #2 0x7f25a8fcdf24 in r600_draw_vbo ../src/gallium/drivers/r600/r600_state_common.c:2448 #3 0x7f25a8ae7ba1 in u_vbuf_draw_vbo ../src/gallium/auxiliary/util/u_vbuf.c:1791 #4 0x7f25a7bc18ca in _mesa_validated_drawrangeelements ../src/mesa/main/draw.c:1696 #5 0x7f25a7bc7e53 in _mesa_DrawElements ../src/mesa/main/draw.c:1824 Fixes: 0cf5d1f ("gallium: remove PIPE_CAP_INFO_START_WITH_USER_INDICES and fix all drivers") Signed-off-by: Patrick Lerda <[email protected]> Reviewed-by: Marek Olšák <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23436> (cherry picked from commit 340311d)
- Loading branch information