projects / mesa.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aebcf26)
i965: Use safer pointer arithmetic in intel_texsubimage_tiled_memcpy()
authorChad Versace <chad.versace@linux.intel.com>
Wed, 19 Nov 2014 05:11:25 +0000 (21:11 -0800)
committerChad Versace <chad.versace@intel.com>
Mon, 22 Dec 2014 21:47:11 +0000 (15:47 -0600)
This patch reduces the likelihood of pointer arithmetic overflow bugs in
intel_texsubimage_tiled_memcpy() , like the one fixed by b69c7c5dac.

I haven't yet encountered any overflow bugs in the wild along this
patch's codepath. But I recently solved, in commit b69c7c5dac, an overflow
bug in a line of code that looks very similar to pointer arithmetic in
this function.

This patch conceptually applies the same fix as in b69c7c5dac. Instead
of retyping the variables, though, this patch adds some casts. (I tried
to retype the variables as ptrdiff_t, but it quickly got very messy. The
casts are cleaner).

Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
Signed-off-by: Chad Versace <chad.versace@linux.intel.com>
src/mesa/drivers/dri/i965/intel_tex_subimage.c patch | blob | history

diff --git a/src/mesa/drivers/dri/i965/intel_tex_subimage.c b/src/mesa/drivers/dri/i965/intel_tex_subimage.c
index cb5738a93871bb9988fe092efd255dc3327ee64d..3e4ed1b01e0674f5e1ac0c16b5b11168c2f3c883 100644 (file)
--- a/src/mesa/drivers/dri/i965/intel_tex_subimage.c
+++ b/src/mesa/drivers/dri/i965/intel_tex_subimage.c
@@ -488,8 +488,8 @@ linear_to_tiled(uint32_t xt1, uint32_t xt2,
          /* Translate by (xt,yt) for single-tile copier. */
          tile_copy(x0-xt, x1-xt, x2-xt, x3-xt,
                    y0-yt, y1-yt,
-                   dst + xt * th + yt * dst_pitch,
-                   src + xt      + yt * src_pitch,
+                   dst + (ptrdiff_t) xt * th + (ptrdiff_t) yt * dst_pitch,
+                   src + (ptrdiff_t) xt      + (ptrdiff_t) yt * src_pitch,
                    src_pitch,
                    swizzle_bit,
                    mem_copy);
@@ -654,7 +654,8 @@ intel_texsubimage_tiled_memcpy(struct gl_context * ctx,
    linear_to_tiled(
       xoffset * cpp, (xoffset + width) * cpp,
       yoffset, yoffset + height,
-      bo->virtual, pixels - yoffset * src_pitch - xoffset * cpp,
+      bo->virtual,
+      pixels - (ptrdiff_t) yoffset * src_pitch - (ptrdiff_t) xoffset * cpp,
       image->mt->pitch, src_pitch,
       brw->has_swizzling,
       image->mt->tiling,