projects / mesa.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 39fe03e)
nvc0: fix out of bounds writes for unaligned sizes in push_data
authorChristoph Bumiller <e0425955@student.tuwien.ac.at>
Tue, 8 Jan 2013 12:46:24 +0000 (13:46 +0100)
committerChristoph Bumiller <e0425955@student.tuwien.ac.at>
Tue, 8 Jan 2013 15:13:51 +0000 (16:13 +0100)
src/gallium/drivers/nvc0/nvc0_transfer.c patch | blob | history

diff --git a/src/gallium/drivers/nvc0/nvc0_transfer.c b/src/gallium/drivers/nvc0/nvc0_transfer.c
index 66753c9135ba45cd9da68d75ff72ef9056cc3044..16467cee4896d5f8082ae85695ec7f5ab4a5a833 100644 (file)
--- a/src/gallium/drivers/nvc0/nvc0_transfer.c
+++ b/src/gallium/drivers/nvc0/nvc0_transfer.c
@@ -201,7 +201,7 @@ nvc0_m2mf_push_linear(struct nouveau_context *nv,
       PUSH_DATAh(push, dst->offset + offset);
       PUSH_DATA (push, dst->offset + offset);
       BEGIN_NVC0(push, NVC0_M2MF(LINE_LENGTH_IN), 2);
-      PUSH_DATA (push, nr * 4);
+      PUSH_DATA (push, MIN2(size, nr * 4));
       PUSH_DATA (push, 1);
       BEGIN_NVC0(push, NVC0_M2MF(EXEC), 1);
       PUSH_DATA (push, 0x100111);
@@ -213,6 +213,7 @@ nvc0_m2mf_push_linear(struct nouveau_context *nv,
       count -= nr;
       src += nr;
       offset += nr * 4;
+      size -= nr * 4;
    }
 
    nouveau_bufctx_reset(nvc0->bufctx, 0);
@@ -246,7 +247,7 @@ nve4_p2mf_push_linear(struct nouveau_context *nv,
       PUSH_DATAh(push, dst->offset + offset);
       PUSH_DATA (push, dst->offset + offset);
       BEGIN_NVC0(push, NVE4_P2MF(LINE_LENGTH_IN), 2);
-      PUSH_DATA (push, nr * 4);
+      PUSH_DATA (push, MIN2(size, nr * 4));
       PUSH_DATA (push, 1);
       /* must not be interrupted (trap on QUERY fence, 0x50 works however) */
       BEGIN_1IC0(push, NVE4_P2MF(EXEC), nr + 1);
@@ -256,6 +257,7 @@ nve4_p2mf_push_linear(struct nouveau_context *nv,
       count -= nr;
       src += nr;
       offset += nr * 4;
+      size -= nr * 4;
    }
 
    nouveau_bufctx_reset(nvc0->bufctx, 0);