If stride is supplied (as either stride or slice_stride),
trace_dump_box_bytes will try to read stride bytes, regardless whether
start address is offset by box->x. This causes access outside mapped
region, and possible segv. (transfer_map stride and layer_stride are not
adjusted for box dimensions)
Note: trace_dump_box_bytes only dumps PIPE_BUFFER resources, so there
shouldn't be any complicated boxes. trace_dump_bytes doesn't handle them
anyway.
---
src/gallium/drivers/trace/tr_dump.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/gallium/drivers/trace/tr_dump.c
b/src/gallium/drivers/trace/tr_dump.c
index b173b8a..591e273 100644
--- a/src/gallium/drivers/trace/tr_dump.c
+++ b/src/gallium/drivers/trace/tr_dump.c
@@ -510,11 +510,13 @@ void trace_dump_box_bytes(const void *data,
size = 0;
} else {
enum pipe_format format = resource->format;
- if (slice_stride)
+ if (slice_stride) {
+ slice_stride -= util_format_get_blockwidth(format) * box->x;
size = box->depth * slice_stride;
- else if (stride)
+ } else if (stride) {
+ stride -= util_format_get_blockwidth(format) * box->x;
size = util_format_get_nblocksy(format, box->height) * stride;
- else {
+ } else {
size = util_format_get_nblocksx(format, box->width) *
util_format_get_blocksize(format);
}
}
--
2.7.4
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev
