On 20/08/2018 17:20, [email protected] wrote:
From: Andrii Simiklit <[email protected]>
The "gen_group_get_length" function can return a negative value
and it can lead to the out of bounds group_iter.
v2: printing of "unknown command type" was added
v3: just the asserts are added
Signed-off-by: Andrii Simiklit <[email protected]>
Reviewed-by: Lionel Landwerlin <[email protected]>
Somebody should take a look at the other patches I sent out ;)
Thanks!
-
Lionel
---
src/intel/common/gen_decoder.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder.c
index ec0a486..2d9609a 100644
--- a/src/intel/common/gen_decoder.c
+++ b/src/intel/common/gen_decoder.c
@@ -803,8 +803,10 @@ static bool
iter_more_groups(const struct gen_field_iterator *iter)
{
if (iter->group->variable) {
+ int length = gen_group_get_length(iter->group, iter->p);
+ assert(length >= 0 && "error the length is unknown!");
return iter_group_offset_bits(iter, iter->group_iter + 1) <
- (gen_group_get_length(iter->group, iter->p) * 32);
+ (length * 32);
} else {
return (iter->group_iter + 1) < iter->group->group_count ||
iter->group->next != NULL;
@@ -991,6 +993,7 @@ gen_field_iterator_init(struct gen_field_iterator *iter,
iter->p_bit = p_bit;
int length = gen_group_get_length(iter->group, iter->p);
+ assert(length >= 0 && "error the length is unknown!");
iter->p_end = length > 0 ? &p[length] : NULL;
iter->print_colors = print_colors;
}
_______________________________________________
mesa-dev mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/mesa-dev
