From c35f14f36880eb20f5e54480444e343520e9bec5 Mon Sep 17 00:00:00 2001 From: Carl Worth Date: Wed, 3 Sep 2014 14:18:18 -0700 Subject: Eliminate several cases of multiplication in arguments to calloc In commit 32f2fd1c5d6088692551c80352b7d6fa35b0cd09, several calls to _mesa_calloc(x) were replaced with calls to calloc(1, x). This is strictly equivalent to what the code was doing previously. But for cases where "x" involves multiplication, now that we are explicitly using the two-argument calloc, we can do one step better and replace: calloc(1, A * B); with: calloc(A, B); The advantage of the latter is that calloc will detect any overflow that would have resulted from the multiplication and will fail the allocation, (whereas the former would return a small allocation). So this fix can change potentially exploitable buffer overruns into segmentation faults. Reviewed-by: Matt Turner --- src/gallium/drivers/freedreno/a2xx/ir-a2xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/gallium/drivers/freedreno/a2xx/ir-a2xx.c') diff --git a/src/gallium/drivers/freedreno/a2xx/ir-a2xx.c b/src/gallium/drivers/freedreno/a2xx/ir-a2xx.c index 18afba8a5a3..cff5a27fce0 100644 --- a/src/gallium/drivers/freedreno/a2xx/ir-a2xx.c +++ b/src/gallium/drivers/freedreno/a2xx/ir-a2xx.c @@ -146,7 +146,7 @@ void * ir2_shader_assemble(struct ir2_shader *shader, struct ir2_shader_info *in goto fail; } - ptr = dwords = calloc(1, 4 * info->sizedwords); + ptr = dwords = calloc(4, info->sizedwords); /* second pass, emit CF program in pairs: */ for (i = 0; i < shader->cfs_count; i += 2) { -- cgit v1.2.3