AlexIndustrial/mesa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pan/cs: Fix buffer overflow in cs_block_end()

Browse Source 
If cs_alloc_ins() fails, it returns a dummy instruction slot, which can
only hold one instruction. Make sure we skip the memcpy() if the CS
is invalid to avoid a buffer overflow.

Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Lars-Ivar Hesselberg Simonsen <lars-ivar.simonsen@arm.com>
Reviewed-by: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/31205>
This commit is contained in:
Boris Brezillon
2024-09-15 15:30:35 +02:00
committed by Marge Bot
parent 843608a9f4
commit bdd1335e4f
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/panfrost/lib/genxml/cs_builder.h
View File

@@ -632,7 +632,9 @@ cs_block_end(struct cs_builder *b)
util_dynarray_num_elements(&b->blocks.instrs, uint64_t);
void *buffer = cs_alloc_ins(b, num_instrs);
memcpy(buffer, b->blocks.instrs.data, b->blocks.instrs.size);
if (likely(cs_is_valid(b)))
memcpy(buffer, b->blocks.instrs.data, b->blocks.instrs.size);
util_dynarray_clear(&b->blocks.instrs);
}