← Back to branch summary

~ubuntu-branches/ubuntu/precise/mesa/precise-security

« back to all changes in this revision

Viewing changes to debian/patches/117_intel_fix_hiz_null_dereference.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers, Steve Beattie
  • Date: 2012-10-19 09:04:04 UTC
  • mfrom: (163.1.4 precise-proposed)
  • Revision ID: package-import@ubuntu.com-20121019090404-5zbjpsp6knv7zl3b
Tags: 8.0.4-0ubuntu0.2
https://launchpad.net/bugs/1046933
[ Steve Beattie ]
* SECURITY UPDATE: samplers array overflow (LP: #1046933)
  - debian/patches/50-CVE-2012-2864.patch: ensure that more than
    MAX_SAMPLERS are not used
  - CVE-2012-2864

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/117_intel_fix_hiz_null_dereference.patch
1
 
From 9c396be157cb4e8780145769851f99754830b5f6 Mon Sep 17 00:00:00 2001
2
 
From: Dylan Noblesmith <nobled@dreamwidth.org>
3
 
Date: Fri, 16 Mar 2012 18:38:49 +0000
4
 
Subject: [PATCH] intel: fix null dereference processing HiZ buffer
5
 
 
6
 
Or technically, a near-null dereference.
7
 
 
8
 
https://bugs.freedesktop.org/show_bug.cgi?id=46303
9
 
https://bugs.freedesktop.org/show_bug.cgi?id=46739
10
 
 
11
 
NOTE: This is a candidate for the 8.0 branch.
12
 
---
13
 
 src/mesa/drivers/dri/intel/intel_context.c |    6 ++++++
14
 
 1 files changed, 6 insertions(+), 0 deletions(-)
15
 
 
16
 
diff --git a/src/mesa/drivers/dri/intel/intel_context.c b/src/mesa/drivers/dri/intel/intel_context.c
17
 
index ffd9536..7f94976 100644
18
 
--- a/src/mesa/drivers/dri/intel/intel_context.c
19
 
+++ b/src/mesa/drivers/dri/intel/intel_context.c
20
 
@@ -1223,6 +1223,10 @@ intel_process_dri2_buffer_with_separate_stencil(struct intel_context *intel,
21
 
    if (!rb)
22
 
       return;
23
 
 
24
 
+   /* Check if we failed to allocate the depth miptree earlier. */
25
 
+   if (buffer->attachment == __DRI_BUFFER_HIZ && rb->mt == NULL)
26
 
+     return;
27
 
+
28
 
    /* If the renderbuffer's and DRIbuffer's regions match, then continue. */
29
 
    if ((buffer->attachment != __DRI_BUFFER_HIZ &&
30
 
        rb->mt &&
31
 
@@ -1264,6 +1268,7 @@ intel_process_dri2_buffer_with_separate_stencil(struct intel_context *intel,
32
 
     * due to failure to allocate new storage.
33
 
     */
34
 
    if (buffer->attachment == __DRI_BUFFER_HIZ) {
35
 
+      assert(rb->mt);
36
 
       intel_miptree_release(&rb->mt->hiz_mt);
37
 
    } else {
38
 
       intel_miptree_release(&rb->mt);
39
 
@@ -1289,6 +1294,7 @@ intel_process_dri2_buffer_with_separate_stencil(struct intel_context *intel,
40
 
 
41
 
    /* Associate buffer with new storage. */
42
 
    if (buffer->attachment == __DRI_BUFFER_HIZ) {
43
 
+      assert(rb->mt);
44
 
       rb->mt->hiz_mt = mt;
45
 
    } else {
46
 
       rb->mt = mt;
47
 
1.7.4.1
48