diff options
author | Christoph Bumiller <[email protected]> | 2013-01-08 13:46:24 +0100 |
---|---|---|
committer | Christoph Bumiller <[email protected]> | 2013-01-08 16:13:51 +0100 |
commit | 076f4ced8b7bbf2074cf932e653b1da6db2e2380 (patch) | |
tree | 4b2cc0a8a81d0f5f923811b17c621c520b7a6405 /src/gallium | |
parent | 39fe03e2de655aee9939cb51d08cac8aa491bb6e (diff) |
nvc0: fix out of bounds writes for unaligned sizes in push_data
Diffstat (limited to 'src/gallium')
-rw-r--r-- | src/gallium/drivers/nvc0/nvc0_transfer.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/gallium/drivers/nvc0/nvc0_transfer.c b/src/gallium/drivers/nvc0/nvc0_transfer.c index 66753c9135b..16467cee489 100644 --- a/src/gallium/drivers/nvc0/nvc0_transfer.c +++ b/src/gallium/drivers/nvc0/nvc0_transfer.c @@ -201,7 +201,7 @@ nvc0_m2mf_push_linear(struct nouveau_context *nv, PUSH_DATAh(push, dst->offset + offset); PUSH_DATA (push, dst->offset + offset); BEGIN_NVC0(push, NVC0_M2MF(LINE_LENGTH_IN), 2); - PUSH_DATA (push, nr * 4); + PUSH_DATA (push, MIN2(size, nr * 4)); PUSH_DATA (push, 1); BEGIN_NVC0(push, NVC0_M2MF(EXEC), 1); PUSH_DATA (push, 0x100111); @@ -213,6 +213,7 @@ nvc0_m2mf_push_linear(struct nouveau_context *nv, count -= nr; src += nr; offset += nr * 4; + size -= nr * 4; } nouveau_bufctx_reset(nvc0->bufctx, 0); @@ -246,7 +247,7 @@ nve4_p2mf_push_linear(struct nouveau_context *nv, PUSH_DATAh(push, dst->offset + offset); PUSH_DATA (push, dst->offset + offset); BEGIN_NVC0(push, NVE4_P2MF(LINE_LENGTH_IN), 2); - PUSH_DATA (push, nr * 4); + PUSH_DATA (push, MIN2(size, nr * 4)); PUSH_DATA (push, 1); /* must not be interrupted (trap on QUERY fence, 0x50 works however) */ BEGIN_1IC0(push, NVE4_P2MF(EXEC), nr + 1); @@ -256,6 +257,7 @@ nve4_p2mf_push_linear(struct nouveau_context *nv, count -= nr; src += nr; offset += nr * 4; + size -= nr * 4; } nouveau_bufctx_reset(nvc0->bufctx, 0); |