Bug 43250

Summary: i915: Cubemap buffer overflow
Product: Mesa Reporter: Kurt Roeckx <kurt>
Component: Drivers/DRI/i915Assignee: Ian Romanick <idr>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: i915: Fix cubemap buffer overflow

Description Kurt Roeckx 2011-11-25 16:42:25 UTC 
Created attachment 53859 [details] [review]
i915: Fix cubemap buffer overflow

Commit 87f12bb2 change this:
--- a/src/mesa/drivers/dri/i915/i915_tex_layout.c
+++ b/src/mesa/drivers/dri/i915/i915_tex_layout.c
@@ -126,7 +126,7 @@ i915_miptree_layout_cube(struct intel_mipmap_tree * mt)
    mt->total_height = dim * 4;
 
    for (level = mt->first_level; level <= mt->last_level; level++) {
-      intel_miptree_set_level_info(mt, level, 6,
+      intel_miptree_set_level_info(mt, level,
                                   0, 0,
                                   lvlWidth, lvlHeight,
                                   1);

The parameter was dropped in commit d7b33309, which said:
    intel: Kill intel_mipmap_level::nr_images [v4]

    For all texture targets except GL_TEXTURE_CUBE_MAP, the 'nr_images' and
    'depth' fields of intel_mipmap_level were identical.  In the exceptional
    case, nr_images == 6 and depth == 1.
[...]
       - For GL_TEXTURE_CUBE_MAP, depth is 6.

But you now set it to 1 instead of 6 which of course overwrites a buffer.

The same problem is here:
@@ -335,7 +335,7 @@ i945_miptree_layout_cube(struct intel_mipmap_tree * mt)
 
    /* Set all the levels to effectively occupy the whole rectangular region. */
    for (level = mt->first_level; level <= mt->last_level; level++) {
-      intel_miptree_set_level_info(mt, level, 6,
+      intel_miptree_set_level_info(mt, level,
                                   0, 0,
                                   lvlWidth, lvlHeight, 1);
       lvlWidth /= 2;
Comment 1 Ian Romanick 2012-01-18 12:50:44 UTC 
This should be fixed by the following commit on Mesa master.

commit 8a472427559ea33186c71dfbab8254651fec3077
Author: Ian Romanick <ian.d.romanick@intel.com>
Date:   Tue Jan 17 12:41:15 2012 -0800

    intel: Set depth to 6 for cubemaps
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=41216
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=43212
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=43250
    Signed-off-by: Ian Romanick <ian.d.romanick@intel.com>
    Reviewed-by: Chad Versace <chad.versace@linux.intel.com>
    Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
    Cc: Jin Yang <jin.a.yang@intel.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.