← Back to branch summary

~ubuntu-branches/ubuntu/precise/mesa/precise-security

« back to all changes in this revision

Viewing changes to src/mesa/state_tracker/st_cb_drawpixels.c

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers, Steve Beattie
  • Date: 2012-10-19 09:04:04 UTC
  • mfrom: (163.1.4 precise-proposed)
  • Revision ID: package-import@ubuntu.com-20121019090404-5zbjpsp6knv7zl3b
Tags: 8.0.4-0ubuntu0.2
https://launchpad.net/bugs/1046933
[ Steve Beattie ]
* SECURITY UPDATE: samplers array overflow (LP: #1046933)
  - debian/patches/50-CVE-2012-2864.patch: ensure that more than
    MAX_SAMPLERS are not used
  - CVE-2012-2864

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/mesa/state_tracker/st_cb_drawpixels.c
215
215
   if (!p)
216
216
      return NULL;
217
217
 
218
 
   p->NumInstructions = write_depth ? 2 : 1;
 
218
   p->NumInstructions = write_depth ? 3 : 1;
219
219
   p->NumInstructions += write_stencil ? 1 : 0;
220
220
 
221
221
   p->Instructions = _mesa_alloc_instructions(p->NumInstructions);
236
236
      p->Instructions[ic].TexSrcUnit = 0;
237
237
      p->Instructions[ic].TexSrcTarget = TEXTURE_2D_INDEX;
238
238
      ic++;
 
239
      /* MOV result.color, fragment.color; */
 
240
      p->Instructions[ic].Opcode = OPCODE_MOV;
 
241
      p->Instructions[ic].DstReg.File = PROGRAM_OUTPUT;
 
242
      p->Instructions[ic].DstReg.Index = FRAG_RESULT_COLOR;
 
243
      p->Instructions[ic].SrcReg[0].File = PROGRAM_INPUT;
 
244
      p->Instructions[ic].SrcReg[0].Index = FRAG_ATTRIB_COL0;
 
245
      ic++;
239
246
   }
240
247
 
241
248
   if (write_stencil) {
258
265
 
259
266
   p->InputsRead = FRAG_BIT_TEX0 | FRAG_BIT_COL0;
260
267
   p->OutputsWritten = 0;
261
 
   if (write_depth)
 
268
   if (write_depth) {
262
269
      p->OutputsWritten |= BITFIELD64_BIT(FRAG_RESULT_DEPTH);
 
270
      p->OutputsWritten |= BITFIELD64_BIT(FRAG_RESULT_COLOR);
 
271
   }
263
272
   if (write_stencil)
264
273
      p->OutputsWritten |= BITFIELD64_BIT(FRAG_RESULT_STENCIL);
265
274
 
1543
1552
   readY = srcy;
1544
1553
   readW = width;
1545
1554
   readH = height;
1546
 
   _mesa_clip_readpixels(ctx, &readX, &readY, &readW, &readH, &pack);
 
1555
   if (!_mesa_clip_readpixels(ctx, &readX, &readY, &readW, &readH, &pack)) {
 
1556
      /* The source region is completely out of bounds.  Do nothing.
 
1557
       * The GL spec says "Results of copies from outside the window,
 
1558
       * or from regions of the window that are not exposed, are
 
1559
       * hardware dependent and undefined."
 
1560
       */
 
1561
      return;
 
1562
   }
 
1563
 
1547
1564
   readW = MAX2(0, readW);
1548
1565
   readH = MAX2(0, readH);
1549
1566