From mboxrd@z Thu Jan 1 00:00:00 1970
From: bugzilla-daemon@freedesktop.org
Subject: [Bug 32277] New: overflow in calculate_miptree_layout_r300
Date: Thu, 9 Dec 2010 14:10:15 -0800 (PST)
Message-ID:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path:
Received: from annarchy.freedesktop.org (annarchy.freedesktop.org
[131.252.210.176])
by gabe.freedesktop.org (Postfix) with ESMTP id D27A09E777
for ;
Thu, 9 Dec 2010 14:10:15 -0800 (PST)
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org
https://bugs.freedesktop.org/show_bug.cgi?id=32277
Summary: overflow in calculate_miptree_layout_r300
Product: Mesa
Version: git
Platform: Other
OS/Version: All
Status: NEW
Severity: major
Priority: medium
Component: Drivers/DRI/R600
AssignedTo: dri-devel@lists.freedesktop.org
ReportedBy: prahal@yahoo.com
Created an attachment (id=40964)
View: https://bugs.freedesktop.org/attachment.cgi?id=40964
Review: https://bugs.freedesktop.org/review?bug=32277&attachment=40964
Fix for the levels array overflow
extremetuxracer 0.5 beta2 shows up a bug in r600c.
The levels array in radeon_mipmap_tree structure is defined with a size of
RADEON_MIPTREE_MAX_TEXTURE (ie 13). Though in radeon_try_alloc_miptree the size
of numLevels can overflow this size.
Then in calculate_miptree_layout_r300 the loop write out of the array.
Which leads to calloc failure in bo_open from radeon_gem_bo due to corrupted
memory.
This patch fixes this by setting the numLevels max to
RADEON_MIPTREE_MAX_TEXTURE.
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.