diff options
author | Andrii Simiklit <[email protected]> | 2018-08-20 19:20:59 +0300 |
---|---|---|
committer | Lionel Landwerlin <[email protected]> | 2018-09-03 11:14:30 +0100 |
commit | 095600dad6ee2c93b92026ba9c78ad829a79fcd0 (patch) | |
tree | e9c1779d1af2f0ec77f148f8be321ceb4b6db89e /src/intel | |
parent | 233718a199f96f71f7c0d2063d9a434dc3447d86 (diff) |
intel/decoder: fix the possible out of bounds group_iter
The "gen_group_get_length" function can return a negative value
and it can lead to the out of bounds group_iter.
v2: printing of "unknown command type" was added
v3: just the asserts are added
Signed-off-by: Andrii Simiklit <[email protected]>
Reviewed-by: Lionel Landwerlin <[email protected]>
Diffstat (limited to 'src/intel')
-rw-r--r-- | src/intel/common/gen_decoder.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/intel/common/gen_decoder.c b/src/intel/common/gen_decoder.c index ec22b545492..c6c213fcd11 100644 --- a/src/intel/common/gen_decoder.c +++ b/src/intel/common/gen_decoder.c @@ -804,8 +804,10 @@ static bool iter_more_groups(const struct gen_field_iterator *iter) { if (iter->group->variable) { + int length = gen_group_get_length(iter->group, iter->p); + assert(length >= 0 && "error the length is unknown!"); return iter_group_offset_bits(iter, iter->group_iter + 1) < - (gen_group_get_length(iter->group, iter->p) * 32); + (length * 32); } else { return (iter->group_iter + 1) < iter->group->group_count || iter->group->next != NULL; @@ -997,6 +999,7 @@ gen_field_iterator_init(struct gen_field_iterator *iter, iter->p_bit = p_bit; int length = gen_group_get_length(iter->group, iter->p); + assert(length >= 0 && "error the length is unknown!"); iter->p_end = length >= 0 ? &p[length] : NULL; iter->print_colors = print_colors; } |