Skip to content

Commit

Permalink
mesa/st: fix buffer overflow related to set_program_string()
Browse files Browse the repository at this point in the history
For instance, this is triggered with "piglit/bin/ext_direct_state_access-named-program -auto -fbo":
==5695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000050031 at pc 0x7f78dfca8d46 bp 0x7ffd9043b4a0 sp 0x7ffd9043ac50
READ of size 50 at 0x606000050031 thread T0
    #0 0x7f78dfca8d45  (/usr/lib64/libasan.so.6+0x3fd45)
    #1 0x7f78d450b18f in set_program_string ../src/mesa/main/arbprogram.c:385
    #2 0x7f78d3fdbd3e in execute_list ../src/mesa/main/dlist.c:13025
    #3 0x7f78d40c2564 in _mesa_CallList ../src/mesa/main/dlist.c:13451
    #4 0x7f78d42f380a in _mesa_unmarshal_CallList ../src/mesa/main/glthread_list.c:43
    #5 0x7f78d38e85c5 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:122
    #6 0x7f78d38ea20d in _mesa_glthread_finish ../src/mesa/main/glthread.c:382
    #7 0x7f78d38ea20d in _mesa_glthread_finish ../src/mesa/main/glthread.c:347
    #8 0x7f78d3d73f69 in _mesa_marshal_IsProgramARB src/mapi/glapi/gen/marshal_generated2.c:4256

Fixes: 0b196b4 ("mesa: don't compute the same SHA1 twice in glShaderSource")
Signed-off-by: Patrick Lerda <[email protected]>
Reviewed-by: Marek Olšák <[email protected]>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23295>
(cherry picked from commit 44b960a)
  • Loading branch information
Patrick Lerda authored and 1ace committed Jun 2, 2023
1 parent 0fd5043 commit ce18d3d
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion .pick_status.json
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@
"description": "mesa/st: fix buffer overflow related to set_program_string()",
"nominated": true,
"nomination_type": 1,
"resolution": 0,
"resolution": 1,
"main_sha": null,
"because_sha": "0b196b40a3ae88b822fc1ec98b3461469c7dec98"
},
Expand Down
2 changes: 1 addition & 1 deletion src/mesa/main/arbprogram.c
Original file line number Diff line number Diff line change
Expand Up @@ -382,7 +382,7 @@ set_program_string(struct gl_program *prog, GLenum target, GLenum format, GLsize
gl_shader_stage stage = _mesa_program_enum_to_shader_stage(target);

uint8_t sha1[SHA1_DIGEST_LENGTH];
_mesa_sha1_compute(string, strlen(string), sha1);
_mesa_sha1_compute(string, len, sha1);

/* Dump original shader source to MESA_SHADER_DUMP_PATH and replace
* if corresponding entry found from MESA_SHADER_READ_PATH.
Expand Down

0 comments on commit ce18d3d

Please sign in to comment.