From ce6f99fe3c4f6f125a6f72aac937357172aafad5 Mon Sep 17 00:00:00 2001 From: Alban Browaeys Date: Thu, 9 Dec 2010 05:11:40 +0100 Subject: [PATCH] Fix levels array overflow in mimap tree. The levels array in radeon_mipmap_tree structure is defined with a size of RADEON_MIPTREE_MAX_TEXTURE (ie 13). Though in radeon_try_alloc_miptree the size of numLevels can overflow this size. Then in calculate_miptree_layout_r300 the loop write out of the array. Which leads to calloc failure in bo_open from radeon_gem_bo due to corrupted memory. Signed-off-by: Alban Browaeys --- src/mesa/drivers/dri/radeon/radeon_mipmap_tree.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/mesa/drivers/dri/radeon/radeon_mipmap_tree.c b/src/mesa/drivers/dri/radeon/radeon_mipmap_tree.c index 1fadad2..31e3fcb 100644 --- a/src/mesa/drivers/dri/radeon/radeon_mipmap_tree.c +++ b/src/mesa/drivers/dri/radeon/radeon_mipmap_tree.c @@ -419,6 +419,7 @@ void radeon_try_alloc_miptree(radeonContextPtr rmesa, radeonTexObj *t) numLevels = MIN2(texObj->MaxLevel - texObj->BaseLevel + 1, texImg->MaxLog2 + 1); + numLevels = MIN2(RADEON_MIPTREE_MAX_TEXTURE_LEVELS, numLevels); t->mt = radeon_miptree_create(rmesa, t->base.Target, texImg->TexFormat, texObj->BaseLevel, -- 1.7.2.3