From bdd1335e4fb9c87f6c40afad134fbe64bed5f4d3 Mon Sep 17 00:00:00 2001
From: Boris Brezillon <boris.brezillon@collabora.com>
Date: Sun, 15 Sep 2024 15:30:35 +0200
Subject: [PATCH] pan/cs: Fix buffer overflow in cs_block_end()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If cs_alloc_ins() fails, it returns a dummy instruction slot, which can
only hold one instruction. Make sure we skip the memcpy() if the CS
is invalid to avoid a buffer overflow.

Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Lars-Ivar Hesselberg Simonsen <lars-ivar.simonsen@arm.com>
Reviewed-by: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/31205>
---
 src/panfrost/lib/genxml/cs_builder.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/panfrost/lib/genxml/cs_builder.h b/src/panfrost/lib/genxml/cs_builder.h
index 4868459f93f..d197091367e 100644
--- a/src/panfrost/lib/genxml/cs_builder.h
+++ b/src/panfrost/lib/genxml/cs_builder.h
@@ -632,7 +632,9 @@ cs_block_end(struct cs_builder *b)
       util_dynarray_num_elements(&b->blocks.instrs, uint64_t);
    void *buffer = cs_alloc_ins(b, num_instrs);
 
-   memcpy(buffer, b->blocks.instrs.data, b->blocks.instrs.size);
+   if (likely(cs_is_valid(b)))
+      memcpy(buffer, b->blocks.instrs.data, b->blocks.instrs.size);
+
    util_dynarray_clear(&b->blocks.instrs);
 }