diff options
| author | Carl Worth <[email protected]> | 2014-09-03 14:18:18 -0700 |
|---|---|---|
| committer | Carl Worth <[email protected]> | 2014-09-03 18:37:02 -0700 |
| commit | c35f14f36880eb20f5e54480444e343520e9bec5 (patch) | |
| tree | 860639f711be92e6ee031b005ac0284320c91d39 /src/mesa/drivers | |
| parent | 96ce065db46d11f5ad6423f4a522f3e92153b3cf (diff) | |
Eliminate several cases of multiplication in arguments to calloc
In commit 32f2fd1c5d6088692551c80352b7d6fa35b0cd09, several calls to
_mesa_calloc(x) were replaced with calls to calloc(1, x). This is strictly
equivalent to what the code was doing previously.
But for cases where "x" involves multiplication, now that we are explicitly
using the two-argument calloc, we can do one step better and replace:
calloc(1, A * B);
with:
calloc(A, B);
The advantage of the latter is that calloc will detect any overflow that would
have resulted from the multiplication and will fail the allocation, (whereas
the former would return a small allocation). So this fix can change
potentially exploitable buffer overruns into segmentation faults.
Reviewed-by: Matt Turner <[email protected]>
Diffstat (limited to 'src/mesa/drivers')
| -rw-r--r-- | src/mesa/drivers/dri/common/utils.c | 2 | ||||
| -rw-r--r-- | src/mesa/drivers/dri/i965/brw_state_cache.c | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/src/mesa/drivers/dri/common/utils.c b/src/mesa/drivers/dri/common/utils.c index e0b3db8cf14..f2e63c0b98c 100644 --- a/src/mesa/drivers/dri/common/utils.c +++ b/src/mesa/drivers/dri/common/utils.c @@ -238,7 +238,7 @@ driCreateConfigs(mesa_format format, is_srgb = _mesa_get_format_color_encoding(format) == GL_SRGB; num_modes = num_depth_stencil_bits * num_db_modes * num_accum_bits * num_msaa_modes; - configs = calloc(1, (num_modes + 1) * sizeof *configs); + configs = calloc(num_modes + 1, sizeof *configs); if (configs == NULL) return NULL; diff --git a/src/mesa/drivers/dri/i965/brw_state_cache.c b/src/mesa/drivers/dri/i965/brw_state_cache.c index 19079c8b2cc..bb5047ea4d6 100644 --- a/src/mesa/drivers/dri/i965/brw_state_cache.c +++ b/src/mesa/drivers/dri/i965/brw_state_cache.c @@ -115,7 +115,7 @@ rehash(struct brw_cache *cache) GLuint size, i; size = cache->size * 3; - items = calloc(1, size * sizeof(*items)); + items = calloc(size, sizeof(*items)); for (i = 0; i < cache->size; i++) for (c = cache->items[i]; c; c = next) { @@ -334,7 +334,7 @@ brw_init_caches(struct brw_context *brw) cache->size = 7; cache->n_items = 0; cache->items = - calloc(1, cache->size * sizeof(struct brw_cache_item *)); + calloc(cache->size, sizeof(struct brw_cache_item *)); cache->bo = drm_intel_bo_alloc(brw->bufmgr, "program cache", |