Menu
▾
▴
[Mesa3d-dev] [Bug 17800] New: Mesa accesses memory out of bounds
|
From: <bug...@fr...> - 2008-09-26 20:14:25
|
http://bugs.freedesktop.org/show_bug.cgi?id=17800 Summary: Mesa accesses memory out of bounds Product: Mesa Version: unspecified Platform: x86-64 (AMD64) OS/Version: Linux (All) Status: NEW Severity: major Priority: medium Component: Mesa core AssignedTo: mes...@li... ReportedBy: s.j...@gm... FYI I'm using Mesa 7.2 Trying to determine a crash in my application, valgrind reported the following error while rendering to a depth texture of 512x512: ==24794== Invalid write of size 4 ==24794== at 0x4F62FF1: store_texel_z32 (texformat_tmp.h:256) ==24794== by 0x50D8962: texture_put_values (texrender.c:238) ==24794== by 0x500421E: depth_test_pixels (s_depth.c:1091) ==24794== by 0x5004251: _swrast_depth_test_span (s_depth.c:1107) ==24794== by 0x5010D2B: _swrast_write_rgba_span (s_span.c:1332) ==24794== by 0x5009E39: rgba_line (s_linetemp.h:400) ==24794== by 0x5001677: _swrast_Line (s_context.c:703) ==24794== by 0x5067AEC: swsetup_line (ss_triangle.c:282) ==24794== by 0x4FBDCAE: _tnl_render_lines_verts (t_vb_rendertmp.h:85) ==24794== by 0x4FC02C0: run_render (t_vb_render.c:320) ==24794== by 0x4FB0D43: _tnl_run_pipeline (t_pipeline.c:158) ==24794== by 0x4FB2147: _tnl_draw_prims (t_draw.c:402) This seems to cause a crash in my application later on when allocating some other memory. In depth_test_pixels the following code is executed: GLuint zbuffer[MAX_WIDTH]; ASSERT(rb->DataType == GL_UNSIGNED_INT); _swrast_get_values(ctx, rb, count, x, y, zbuffer, sizeof(GLuint)); depth_test_span32(ctx, count, zbuffer, z, mask ); rb->PutValues(ctx, rb, count, x, y, zbuffer, NULL); The problem is that the first value in the 'y' array contains 512. Assuming the correct range is [0-511] this will cause an read outside the bounds of the texImage->Data array. The _swrast_get_values doesn't cause a invalid read, since that function will actually do proper bounds checking before fetching values from textImage->Data. I'm not sure why the y array contains 512, so I'm not sure if it is a bug upstream (ie where the y array gets filled), or the PutValues should do proper bounds checking instead. -- Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. |