From 4ff3467daf0ac07e4295c7d2e2ad3c3c8c89dff6 Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Wed, 1 Sep 2010 13:21:51 -0600 Subject: [PATCH] mesa: fix out of bounds memory read in mipmap gen code Out of bounds reads could happen for reducing WxH to WxH/2 or WxH to W/2xH. Fixes fd.o bug 29918. --- src/mesa/main/mipmap.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/src/mesa/main/mipmap.c b/src/mesa/main/mipmap.c index c0c29f78893..678d17a2a36 100644 --- a/src/mesa/main/mipmap.c +++ b/src/mesa/main/mipmap.c @@ -1005,21 +1005,28 @@ make_2d_mipmap(GLenum datatype, GLuint comps, GLint border, const GLint dstRowBytes = bpt * dstRowStride; const GLubyte *srcA, *srcB; GLubyte *dst; - GLint row; + GLint row, srcRowStep; /* Compute src and dst pointers, skipping any border */ srcA = srcPtr + border * ((srcWidth + 1) * bpt); - if (srcHeight > 1) + if (srcHeight > 1 && srcHeight > dstHeight) { + /* sample from two source rows */ srcB = srcA + srcRowBytes; - else + srcRowStep = 2; + } + else { + /* sample from one source row */ srcB = srcA; + srcRowStep = 1; + } + dst = dstPtr + border * ((dstWidth + 1) * bpt); for (row = 0; row < dstHeightNB; row++) { do_row(datatype, comps, srcWidthNB, srcA, srcB, dstWidthNB, dst); - srcA += 2 * srcRowBytes; - srcB += 2 * srcRowBytes; + srcA += srcRowStep * srcRowBytes; + srcB += srcRowStep * srcRowBytes; dst += dstRowBytes; } -- 2.30.2