From: Eric Anholt <eric@anholt.net>
Date: Thu, 30 Jul 2009 05:39:15 +0000 (-0700)
Subject: i915: Bail when the fragment program has too many total instructions.
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=4ff816751f74b0645c198372937eec589c458a60;p=mesa.git

i915: Bail when the fragment program has too many total instructions.

Previously, we'd go trashing the heap.
---

diff --git a/src/mesa/drivers/dri/i915/i915_program.c b/src/mesa/drivers/dri/i915/i915_program.c
index 85a1b0cf5d9..6ccc9eea3e0 100644
--- a/src/mesa/drivers/dri/i915/i915_program.c
+++ b/src/mesa/drivers/dri/i915/i915_program.c
@@ -186,6 +186,11 @@ i915_emit_arith(struct i915_fragment_program * p,
       p->utemp_flag = old_utemp_flag;   /* restore */
    }
 
+   if (p->csr >= p->program + I915_PROGRAM_SIZE) {
+      i915_program_error(p, "Program contains too many instructions");
+      return UREG_BAD;
+   }
+
    *(p->csr++) = (op | A0_DEST(dest) | mask | saturate | A0_SRC0(src0));
    *(p->csr++) = (A1_SRC0(src0) | A1_SRC1(src1));
    *(p->csr++) = (A2_SRC1(src1) | A2_SRC2(src2));
@@ -270,6 +275,11 @@ GLuint i915_emit_texld( struct i915_fragment_program *p,
 	  p->register_phases[GET_UREG_NR(coord)] == p->nr_tex_indirect)
 	 p->nr_tex_indirect++;
 
+      if (p->csr >= p->program + I915_PROGRAM_SIZE) {
+	 i915_program_error(p, "Program contains too many instructions");
+	 return UREG_BAD;
+      }
+
       *(p->csr++) = (op | 
 		     T0_DEST( dest ) |
 		     T0_SAMPLER( sampler ));