[Mesa3d-dev] [Bug 18445] glAreTexturesResident can corrupt application stack and cause crash

Mon, 10 Nov 2008 23:32:36 -0800 

http://bugs.freedesktop.org/show_bug.cgi?id=18445


Eero Pajarre <[EMAIL PROTECTED]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[EMAIL PROTECTED]




--- Comment #3 from Eero Pajarre <[EMAIL PROTECTED]>  2008-11-10 23:30:35 PST 
---
(In reply to comment #1)
> Nice find.  The code in question has been as-is for many years so this goes 
> way
> back.
> 
> The problem is when the GLX reply is an array, the number of bytes returned is
> always a multiple of four.  If the 'residences' array isn't a multiple of four
> in size, out-of-bounds writes could occur.
> 
> The solution is to allocate a temporary buffer which is a multiple of four
> bytes when necessary.
> 
> I'm about to commit a fix to Mesa for this.  Unfortunately, it involves
> special-casing the indirect AreTextureResident() function whereas it was
> auto-generated before.
> 


I think I disagree here. I think that the real/main problem here is
that if __glXReadReply is given the  the last argument "true",
it will try to read the reply data using size 4 * reply.length
                                             ^^^
(indirect.c line 77). So using your patch wouldn't this cause 
an overrun of the malloc:ed buffer. (Or does _XRead limit this
based on available data or something).

I would actually suggest fixing this problem by using the the original
code, but just changing the last argument to GL_FALSE for __glXReadReply.
(I don't really know if this is ok, but it does not crash, and
similar code exists for example in glAreProgramsResidentNV )

(I have done my tests using the Mesa-7.2 source code,
Need to find out where dri2tokens.h is before I can compile
the git version....)

I am taking the liberty to marking this with "Reopen bug", 



           Eero


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Mesa3d-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mesa3d-dev

Reply via email to