summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEric Anholt <eric@anholt.net>2009-07-29 22:39:15 -0700
committerEric Anholt <eric@anholt.net>2009-10-01 14:31:03 -0700
commit4ff816751f74b0645c198372937eec589c458a60 (patch)
treed12c9a5859521d28a8976ecbea08a924d053ec28
parent994d1db079b4947e6f10ab22a4b366a676382345 (diff)
i915: Bail when the fragment program has too many total instructions.
Previously, we'd go trashing the heap.
Diffstat
-rw-r--r--src/mesa/drivers/dri/i915/i915_program.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/mesa/drivers/dri/i915/i915_program.c b/src/mesa/drivers/dri/i915/i915_program.c
index 85a1b0cf5d..6ccc9eea3e 100644
--- a/src/mesa/drivers/dri/i915/i915_program.c
+++ b/src/mesa/drivers/dri/i915/i915_program.c
@@ -186,6 +186,11 @@ i915_emit_arith(struct i915_fragment_program * p,
p->utemp_flag = old_utemp_flag; /* restore */
}
+ if (p->csr >= p->program + I915_PROGRAM_SIZE) {
+ i915_program_error(p, "Program contains too many instructions");
+ return UREG_BAD;
+ }
+
*(p->csr++) = (op | A0_DEST(dest) | mask | saturate | A0_SRC0(src0));
*(p->csr++) = (A1_SRC0(src0) | A1_SRC1(src1));
*(p->csr++) = (A2_SRC1(src1) | A2_SRC2(src2));
@@ -270,6 +275,11 @@ GLuint i915_emit_texld( struct i915_fragment_program *p,
p->register_phases[GET_UREG_NR(coord)] == p->nr_tex_indirect)
p->nr_tex_indirect++;
+ if (p->csr >= p->program + I915_PROGRAM_SIZE) {
+ i915_program_error(p, "Program contains too many instructions");
+ return UREG_BAD;
+ }
+
*(p->csr++) = (op |
T0_DEST( dest ) |
T0_SAMPLER( sampler ));
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-20 04:55:48 +0000