Mesa (master): r600g,radeonsi: Fix calculation of IR target cap string buffer size

[Michel Dänzer]

Module: Mesa
Branch: master
Commit: ee31c8d7067ec5a563cdce5a12d8e077db0a7f67
URL:    
http://cgit.freedesktop.org/mesa/mesa/commit/?id=ee31c8d7067ec5a563cdce5a12d8e077db0a7f67

Author: Michel Dänzer <michel.daen...@amd.com>
Date:   Thu Jan 22 12:36:13 2015 +0900

r600g,radeonsi: Fix calculation of IR target cap string buffer size

Fixes writing beyond the allocated buffer:

==31855== Invalid write of size 1
==31855==    at 0x50AB2A9: vsprintf (iovsprintf.c:43)
==31855==    by 0x508F6F6: sprintf (sprintf.c:32)
==31855==    by 0xB59C7EC: r600_get_compute_param (r600_pipe_common.c:526)
==31855==    by 0x5B2B7DE: get_compute_param<char> (device.cpp:37)
==31855==    by 0x5B2B7DE: clover::device::ir_target() const (device.cpp:201)
==31855==    by 0x5B398E0: 
clover::program::build(clover::ref_vector<clover::device> const&, char const*, 
clover::compat::vector<clover::compat::pair<clover::compat::string, 
clover::compat::string> > const&) (program.cpp:63)
==31855==    by 0x5B20152: clBuildProgram (program.cpp:182)
==31855==    by 0x400F41: main (hello_world.c:109)
==31855==  Address 0x56fed5f is 0 bytes after a block of size 15 alloc'd
==31855==    at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==31855==    by 0x5B2B7C2: allocate (new_allocator.h:104)
==31855==    by 0x5B2B7C2: allocate (alloc_traits.h:357)
==31855==    by 0x5B2B7C2: _M_allocate (stl_vector.h:170)
==31855==    by 0x5B2B7C2: _M_create_storage (stl_vector.h:185)
==31855==    by 0x5B2B7C2: _Vector_base (stl_vector.h:136)
==31855==    by 0x5B2B7C2: vector (stl_vector.h:278)
==31855==    by 0x5B2B7C2: get_compute_param<char> (device.cpp:35)
==31855==    by 0x5B2B7C2: clover::device::ir_target() const (device.cpp:201)
==31855==    by 0x5B398E0: 
clover::program::build(clover::ref_vector<clover::device> const&, char const*, 
clover::compat::vector<clover::compat::pair<clover::compat::string, 
clover::compat::string> > const&) (program.cpp:63)
==31855==    by 0x5B20152: clBuildProgram (program.cpp:182)
==31855==    by 0x400F41: main (hello_world.c:109)

Reviewed-by: Marek Olšák <marek.ol...@amd.com>
Reviewed-by: Tom Stellard <thomas.stell...@amd.com>

---

 src/gallium/drivers/radeon/r600_pipe_common.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/gallium/drivers/radeon/r600_pipe_common.c 
b/src/gallium/drivers/radeon/r600_pipe_common.c
index f91772e..ddb4142 100644
--- a/src/gallium/drivers/radeon/r600_pipe_common.c
+++ b/src/gallium/drivers/radeon/r600_pipe_common.c
@@ -524,9 +524,9 @@ static int r600_get_compute_param(struct pipe_screen 
*screen,
                }
                if (ret) {
                        sprintf(ret, "%s-%s", gpu, triple);
-
                }
-               return (strlen(triple) + strlen(gpu)) * sizeof(char);
+               /* +2 for dash and terminating NIL byte */
+               return (strlen(triple) + strlen(gpu) + 2) * sizeof(char);
        }
        case PIPE_COMPUTE_CAP_GRID_DIMENSION:
                if (ret) {

_______________________________________________
mesa-commit mailing list
mesa-commit@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-commit