summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrian Paul <[email protected]>2010-09-01 13:21:51 -0600
committerBrian Paul <[email protected]>2010-09-01 13:24:26 -0600
commit4ff3467daf0ac07e4295c7d2e2ad3c3c8c89dff6 (patch)
tree1a14fc3f765725a2ddb2e34799500798268b659c
parentfd7f2ae085ea55649089b29515e143eed43c177e (diff)
mesa: fix out of bounds memory read in mipmap gen code
Out of bounds reads could happen for reducing WxH to WxH/2 or WxH to W/2xH. Fixes fd.o bug 29918.
-rw-r--r--src/mesa/main/mipmap.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/src/mesa/main/mipmap.c b/src/mesa/main/mipmap.c
index c0c29f78893..678d17a2a36 100644
--- a/src/mesa/main/mipmap.c
+++ b/src/mesa/main/mipmap.c
@@ -1005,21 +1005,28 @@ make_2d_mipmap(GLenum datatype, GLuint comps, GLint border,
const GLint dstRowBytes = bpt * dstRowStride;
const GLubyte *srcA, *srcB;
GLubyte *dst;
- GLint row;
+ GLint row, srcRowStep;
/* Compute src and dst pointers, skipping any border */
srcA = srcPtr + border * ((srcWidth + 1) * bpt);
- if (srcHeight > 1)
+ if (srcHeight > 1 && srcHeight > dstHeight) {
+ /* sample from two source rows */
srcB = srcA + srcRowBytes;
- else
+ srcRowStep = 2;
+ }
+ else {
+ /* sample from one source row */
srcB = srcA;
+ srcRowStep = 1;
+ }
+
dst = dstPtr + border * ((dstWidth + 1) * bpt);
for (row = 0; row < dstHeightNB; row++) {
do_row(datatype, comps, srcWidthNB, srcA, srcB,
dstWidthNB, dst);
- srcA += 2 * srcRowBytes;
- srcB += 2 * srcRowBytes;
+ srcA += srcRowStep * srcRowBytes;
+ srcB += srcRowStep * srcRowBytes;
dst += dstRowBytes;
}