On Thu, Jul 14, 2016 at 05:20:55PM +0100, Emil Velikov wrote: > On 14 July 2016 at 15:23, Eric Engestrom <eric.engest...@imgtec.com> wrote: > > On Thu, Jul 14, 2016 at 03:21:20PM +0200, Stefan Dirsch wrote: > >> This 'last' variable used in FindGLXFunction(...) may become negative, > >> but has been defined as unsigned int resulting in an overflow, > >> finally resulting in a segfault when accessing > >> _glXDispatchTableStrings[...]. > >> Fixed this by definining it as signed int. 'first' variable also needs to > >> be > >> defined as signed int. Otherwise condition for while loop fails due to C > >> implicitly converting signed to unsigned values before comparison. > > > > Indeed, `last` can become negative is when the name searched for is > > alphabetically less than the first entry in the dispatch table. > > On the penultimate round, we would have `first = 0` and `last = 1`. > > Next iteration of the while loop, middle becomes 0, `strcmp() > 0` > > and last = middle - 1, ie. -1. > > > > The same issue exists on the other side (name searched is after last > > entry), but until DI_FUNCTION_COUNT reaches UINT_MAX this wouldn't > > wrap around. > > > > It's unlikely we'll ever have more than INT_MAX entries in the dispatch > > table, so I think this patch is OK. I tried to find a better fix, but > > adding checks before updating first and last feels too heavy. > > > Indeed, reaching {U,}INT_MAX is extremely unlikely, thus we can avoid > adding extra checks. > > > Reviewed-by: Eric Engestrom <eric.engest...@imgtec.com> > > > I'll add the stable tag and push this in a few minutes (as the fresh > doze of coffee kicks in).
Thanks a lot! > Stefan, I'll double-check about the issue mentioned in the cover > letter and let you know (and/or send patches). Didn't hear back from you. Are you still planning to look into this? Or does it just work for you and I messed something up on my side? Thanks, Stefan Public Key available ------------------------------------------------------ Stefan Dirsch (Res. & Dev.) SUSE LINUX GmbH Tel: 0911-740 53 0 Maxfeldstraße 5 FAX: 0911-740 53 479 D-90409 Nürnberg http://www.suse.de Germany --------------------------------------------------------------- SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) --------------------------------------------------------------- _______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/mesa-dev