From e08dbb21a4698950471bbb3aebfeda85b3a32989 Mon Sep 17 00:00:00 2001 From: Chad Versace Date: Wed, 5 Nov 2014 10:14:11 -0800 Subject: [PATCH] i965: Fix segfault in WebGL Conformance on Ivybridge Fixes regression of WebGL Conformance test texture-size-limit [1] on Ivybridge Mobile GT2 0x0166 with Google Chrome R38. Regression introduced by commit 6c044231535b93c5d16404528946cad618d96bd9 Author: Kenneth Graunke Date: Sun Feb 2 02:58:42 2014 -0800 i965: Bump GL_MAX_CUBE_MAP_TEXTURE_SIZE to 8192. The test regressed because the pointer offset arithmetic in intel_miptree_map_gtt() overflows for large textures. The pointer arithmetic uses 32-bit ints :(. [1] https://github.com/KhronosGroup/WebGL/blob/52f0dc240f04dce31b1b8e2b8107fe2b8332dc90/sdk/tests/conformance/textures/texture-size-limit.html Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=78770 Fixes: Intel CHRMOS-1377 Reported-by: Lu Hua Signed-off-by: Chad Versace --- src/mesa/drivers/dri/i965/intel_mipmap_tree.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/mesa/drivers/dri/i965/intel_mipmap_tree.c b/src/mesa/drivers/dri/i965/intel_mipmap_tree.c index 8fda25d..24e217c 100644 --- a/src/mesa/drivers/dri/i965/intel_mipmap_tree.c +++ b/src/mesa/drivers/dri/i965/intel_mipmap_tree.c @@ -1769,7 +1769,16 @@ intel_miptree_map_gtt(struct brw_context *brw, y += image_y; map->stride = mt->pitch; - map->ptr = base + y * map->stride + x * mt->cpp; + + /* The variables in below pointer arithmetic are 32-bit. The arithmetic + * overflows for large textures. Therefore the cast to intptr_t is + * needed. + * + * TODO(chadv): Fix this everywhere in i965 by fixing the signature of + * intel_miptree_get_image_offset() to use intptr_t. + */ + map->ptr = base + (intptr_t) y * (intptr_t) map->stride + + (intptr_t) x * (intptr_t) mt->cpp; } DBG("%s: %d,%d %dx%d from mt %p (%s) %d,%d = %p/%d\n", __FUNCTION__, -- 2.1.2.1.g5433a3e