mesa: fix out of bounds memory read in mipmap gen code

author Brian Paul <brianp@vmware.com>

Wed, 1 Sep 2010 19:21:51 +0000 (13:21 -0600)

committer Brian Paul <brianp@vmware.com>

Wed, 1 Sep 2010 19:24:26 +0000 (13:24 -0600)
author Brian Paul <brianp@vmware.com>
Wed, 1 Sep 2010 19:21:51 +0000 (13:21 -0600)
committer Brian Paul <brianp@vmware.com>
Wed, 1 Sep 2010 19:24:26 +0000 (13:24 -0600)
diff --git a/src/mesa/main/mipmap.c b/src/mesa/main/mipmap.c

index c0c29f78893875e6152183e74f382b3baea6bc76..678d17a2a3654b84ecec4c6b53a6b0c060546ebb 100644 (file)
--- a/src/mesa/main/mipmap.c
+++ b/src/mesa/main/mipmap.c
@@ -1005,21 +1005,28 @@ make_2d_mipmap(GLenum datatype, GLuint comps, GLint border,
     const GLint dstRowBytes = bpt * dstRowStride;
     const GLubyte *srcA, *srcB;
     GLubyte *dst;
-   GLint row;
+   GLint row, srcRowStep;
  
     /* Compute src and dst pointers, skipping any border */
     srcA = srcPtr + border * ((srcWidth + 1) * bpt);
-   if (srcHeight > 1) 
+   if (srcHeight > 1 && srcHeight > dstHeight) {
+      /* sample from two source rows */
        srcB = srcA + srcRowBytes;
-   else
+      srcRowStep = 2;
+   }
+   else {
+      /* sample from one source row */
        srcB = srcA;
+      srcRowStep = 1;
+   }
+
     dst = dstPtr + border * ((dstWidth + 1) * bpt);
  
     for (row = 0; row < dstHeightNB; row++) {
        do_row(datatype, comps, srcWidthNB, srcA, srcB,
               dstWidthNB, dst);
-      srcA += 2 * srcRowBytes;
-      srcB += 2 * srcRowBytes;
+      srcA += srcRowStep * srcRowBytes;
+      srcB += srcRowStep * srcRowBytes;
        dst += dstRowBytes;
     }
author	Brian Paul <brianp@vmware.com>
	Wed, 1 Sep 2010 19:21:51 +0000 (13:21 -0600)
committer	Brian Paul <brianp@vmware.com>
	Wed, 1 Sep 2010 19:24:26 +0000 (13:24 -0600)