Skip to content

r300: fix r300_draw_elements_immediate() possible memory overflow

What does this MR do and why?

r300: fix r300_draw_elements_immediate() possible memory overflow

This is a minor issue which deserves to be fixed.

For instance, this issue is triggered with "deqp-gles2 --deqp-case=dEQP-GLES2.functional.fragment_ops.scissor.contained_point":
==20326==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006ef2 at pc 0x7f3e4d00f9a0 bp 0x7ffe53b96310 sp 0x7ffe53b95ac0
READ of size 4 at 0x602000006ef2 thread T0
    #0 0x7f3e4d00f99f in __interceptor_memcpy (/usr/lib64/libasan.so.6.0.0+0x3c99f)
    #1 0x7f3e42c3cce8 in r300_draw_elements_immediate ../src/gallium/drivers/r300/r300_render.c:565
    #2 0x7f3e42c3cce8 in r300_draw_vbo ../src/gallium/drivers/r300/r300_render.c:838
    #3 0x7f3e4281f2dd in u_vbuf_draw_vbo ../src/gallium/auxiliary/util/u_vbuf.c:1782
    #4 0x7f3e417eb873 in _mesa_validated_drawrangeelements ../src/mesa/main/draw.c:1709
    #5 0x7f3e417f28c5 in _mesa_DrawElementsBaseVertex ../src/mesa/main/draw.c:1852

Fixes: a0c293ec117c ("r300g: put indices in CS if there's just a few of them and are in user memory")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>

Merge request reports

Loading