[Mesa3d-dev] [Bug 17800] New: Mesa accesses memory out of bounds

Sat, 04 Oct 2008 09:25:34 -0700 

http://bugs.freedesktop.org/show_bug.cgi?id=17800

           Summary: Mesa accesses memory out of bounds
           Product: Mesa
           Version: unspecified
          Platform: x86-64 (AMD64)
        OS/Version: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: Mesa core
        AssignedTo: mesa3d-dev@lists.sourceforge.net
        ReportedBy: [EMAIL PROTECTED]


FYI I'm using Mesa 7.2

Trying to determine a crash in my application, valgrind reported the following
error while rendering to a depth texture of 512x512:

==24794== Invalid write of size 4
==24794==    at 0x4F62FF1: store_texel_z32 (texformat_tmp.h:256)
==24794==    by 0x50D8962: texture_put_values (texrender.c:238)
==24794==    by 0x500421E: depth_test_pixels (s_depth.c:1091)
==24794==    by 0x5004251: _swrast_depth_test_span (s_depth.c:1107)
==24794==    by 0x5010D2B: _swrast_write_rgba_span (s_span.c:1332)
==24794==    by 0x5009E39: rgba_line (s_linetemp.h:400)
==24794==    by 0x5001677: _swrast_Line (s_context.c:703)
==24794==    by 0x5067AEC: swsetup_line (ss_triangle.c:282)
==24794==    by 0x4FBDCAE: _tnl_render_lines_verts (t_vb_rendertmp.h:85)
==24794==    by 0x4FC02C0: run_render (t_vb_render.c:320)
==24794==    by 0x4FB0D43: _tnl_run_pipeline (t_pipeline.c:158)
==24794==    by 0x4FB2147: _tnl_draw_prims (t_draw.c:402)

This seems to cause a crash in my application later on when allocating some
other memory.

In depth_test_pixels the following code is executed:

GLuint zbuffer[MAX_WIDTH];
ASSERT(rb->DataType == GL_UNSIGNED_INT);
_swrast_get_values(ctx, rb, count, x, y, zbuffer, sizeof(GLuint));
depth_test_span32(ctx, count, zbuffer, z, mask );
rb->PutValues(ctx, rb, count, x, y, zbuffer, NULL);

The problem is that the first value in the 'y' array contains 512. Assuming the
correct range is [0-511] this will cause an read outside the bounds of the
texImage->Data array. The _swrast_get_values doesn't cause a invalid read,
since that function will actually do proper bounds checking before fetching
values from textImage->Data. 

I'm not sure why the y array contains 512, so I'm not sure if it is a bug
upstream (ie where the y array gets filled), or the PutValues should do proper
bounds checking instead.


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Mesa3d-dev mailing list
Mesa3d-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mesa3d-dev

Reply via email to