AlexIndustrial/mesa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tu: Avoid buffer overflows during inline uniform block updates.

Browse Source 
At the last round of the "remaining > 0" loop, we'd deref of the end of
binding layout in setting up pointers for the next loop.  We don't need
these values that were getting updated at this point.

Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/38684>
This commit is contained in:
Emma Anholt
2025-11-26 14:47:32 -08:00
committed by Marge Bot
parent da5a555e40
commit 24d9592118
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/freedreno/vulkan/tu_descriptor_set.cc
View File

@@ -1271,10 +1271,11 @@ tu_update_descriptor_sets(const struct tu_device *device,
memcpy(dst, src, to_write);
binding_layout++;
ptr = set->mapped_ptr + binding_layout->offset / 4;
dst_offset = 0;
src += to_write;
remaining -= to_write;
if (remaining)
ptr = set->mapped_ptr + binding_layout->offset / 4;
} while (remaining > 0);
continue;
@@ -1379,7 +1380,9 @@ tu_update_descriptor_sets(const struct tu_device *device,
src_remaining -= to_write;
dst_remaining -= to_write;
remaining -= to_write;
if (!remaining)
break;
if (src_remaining == 0) {
src_binding_layout++;
src_ptr = src_set->mapped_ptr + src_binding_layout->offset / 4;