* [Bug 32277] New: overflow in calculate_miptree_layout_r300
@ 2010-12-09 22:10 bugzilla-daemon
2010-12-09 22:11 ` [Bug 32277] " bugzilla-daemon
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: bugzilla-daemon @ 2010-12-09 22:10 UTC (permalink / raw)
To: dri-devel
https://bugs.freedesktop.org/show_bug.cgi?id=32277
Summary: overflow in calculate_miptree_layout_r300
Product: Mesa
Version: git
Platform: Other
OS/Version: All
Status: NEW
Severity: major
Priority: medium
Component: Drivers/DRI/R600
AssignedTo: dri-devel@lists.freedesktop.org
ReportedBy: prahal@yahoo.com
Created an attachment (id=40964)
View: https://bugs.freedesktop.org/attachment.cgi?id=40964
Review: https://bugs.freedesktop.org/review?bug=32277&attachment=40964
Fix for the levels array overflow
extremetuxracer 0.5 beta2 shows up a bug in r600c.
The levels array in radeon_mipmap_tree structure is defined with a size of
RADEON_MIPTREE_MAX_TEXTURE (ie 13). Though in radeon_try_alloc_miptree the size
of numLevels can overflow this size.
Then in calculate_miptree_layout_r300 the loop write out of the array.
Which leads to calloc failure in bo_open from radeon_gem_bo due to corrupted
memory.
This patch fixes this by setting the numLevels max to
RADEON_MIPTREE_MAX_TEXTURE.
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread* [Bug 32277] overflow in calculate_miptree_layout_r300 2010-12-09 22:10 [Bug 32277] New: overflow in calculate_miptree_layout_r300 bugzilla-daemon @ 2010-12-09 22:11 ` bugzilla-daemon 2010-12-09 22:14 ` bugzilla-daemon ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: bugzilla-daemon @ 2010-12-09 22:11 UTC (permalink / raw) To: dri-devel https://bugs.freedesktop.org/show_bug.cgi?id=32277 --- Comment #1 from Alban Browaeys <prahal@yahoo.com> 2010-12-09 14:11:16 PST --- Created an attachment (id=40965) --> (https://bugs.freedesktop.org/attachment.cgi?id=40965) backtrace of the calloc failure in radeon drm due to this previous corruption -- Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 32277] overflow in calculate_miptree_layout_r300 2010-12-09 22:10 [Bug 32277] New: overflow in calculate_miptree_layout_r300 bugzilla-daemon 2010-12-09 22:11 ` [Bug 32277] " bugzilla-daemon @ 2010-12-09 22:14 ` bugzilla-daemon 2010-12-12 23:55 ` bugzilla-daemon 2010-12-20 15:06 ` bugzilla-daemon 3 siblings, 0 replies; 5+ messages in thread From: bugzilla-daemon @ 2010-12-09 22:14 UTC (permalink / raw) To: dri-devel https://bugs.freedesktop.org/show_bug.cgi?id=32277 --- Comment #2 from Alban Browaeys <prahal@yahoo.com> 2010-12-09 14:14:53 PST --- Created an attachment (id=40967) --> (https://bugs.freedesktop.org/attachment.cgi?id=40967) valgrind output from such an etracer run which shows the overflow the overflow happens in in radeon_mipmap_tree.c:195 ie calculate_miptree_layout_r300 and has origin radeon_try_alloc_miptree . -- Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 32277] overflow in calculate_miptree_layout_r300 2010-12-09 22:10 [Bug 32277] New: overflow in calculate_miptree_layout_r300 bugzilla-daemon 2010-12-09 22:11 ` [Bug 32277] " bugzilla-daemon 2010-12-09 22:14 ` bugzilla-daemon @ 2010-12-12 23:55 ` bugzilla-daemon 2010-12-20 15:06 ` bugzilla-daemon 3 siblings, 0 replies; 5+ messages in thread From: bugzilla-daemon @ 2010-12-12 23:55 UTC (permalink / raw) To: dri-devel https://bugs.freedesktop.org/show_bug.cgi?id=32277 --- Comment #3 from Alex Deucher <agd5f@yahoo.com> 2010-12-12 15:55:31 PST --- This should be fixed in: http://cgit.freedesktop.org/mesa/mesa/commit/?id=fd543e1f9506fe41e6e9e78aebbe0bca01df055c -- Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 32277] overflow in calculate_miptree_layout_r300 2010-12-09 22:10 [Bug 32277] New: overflow in calculate_miptree_layout_r300 bugzilla-daemon ` (2 preceding siblings ...) 2010-12-12 23:55 ` bugzilla-daemon @ 2010-12-20 15:06 ` bugzilla-daemon 3 siblings, 0 replies; 5+ messages in thread From: bugzilla-daemon @ 2010-12-20 15:06 UTC (permalink / raw) To: dri-devel https://bugs.freedesktop.org/show_bug.cgi?id=32277 Alban Browaeys <prahal@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Alban Browaeys <prahal@yahoo.com> 2010-12-20 07:06:40 PST --- User reported the issue as fixed. Can be closed. Thank you -- Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-12-20 15:06 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-12-09 22:10 [Bug 32277] New: overflow in calculate_miptree_layout_r300 bugzilla-daemon 2010-12-09 22:11 ` [Bug 32277] " bugzilla-daemon 2010-12-09 22:14 ` bugzilla-daemon 2010-12-12 23:55 ` bugzilla-daemon 2010-12-20 15:06 ` bugzilla-daemon
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.