New subject: [Bug 32277] overflow in calculate_miptree_layout_r300

9 Dec 2010


      https://bugs.freedesktop.org/show_bug.cgi?id=32277
Summary: overflow in calculate_miptree_layout_r300
           Product: Mesa
           Version: git
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: medium
         Component: Drivers/DRI/R600
        AssignedTo: dri-devel@lists.freedesktop.org
        ReportedBy: prahal@yahoo.com
Created an attachment (id=40964)
 View: https://bugs.freedesktop.org/attachment.cgi?id=40964
 Review: https://bugs.freedesktop.org/review?bug=32277&attachment=40964
Fix for the levels array overflow
extremetuxracer 0.5 beta2 shows up a bug in r600c.
The levels array in radeon_mipmap_tree structure is defined with a size of
RADEON_MIPTREE_MAX_TEXTURE (ie 13). Though in radeon_try_alloc_miptree the size
of numLevels can overflow this size.
Then in calculate_miptree_layout_r300 the loop write out of the array.
Which leads to calloc failure in bo_open from radeon_gem_bo due to corrupted
memory.
This patch fixes this by setting the numLevels max to
RADEON_MIPTREE_MAX_TEXTURE.
-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 32277] New: overflow in calculate_miptree_layout_r300