From 90647ff5585ffb1417190e28f88bf1aeed681793 Mon Sep 17 00:00:00 2001
From: Pauli Nieminen <suokkos@gmail.com>
Date: Fri, 21 Aug 2009 21:21:16 +0300
Subject: radeon: protect against buffer overflow in state atom debug code.

---
 src/mesa/drivers/dri/radeon/radeon_common.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/mesa/drivers/dri/radeon/radeon_common.c b/src/mesa/drivers/dri/radeon/radeon_common.c
index 4088ef303c..30d24574ed 100644
--- a/src/mesa/drivers/dri/radeon/radeon_common.c
+++ b/src/mesa/drivers/dri/radeon/radeon_common.c
@@ -904,6 +904,9 @@ static void radeon_print_state_atom_prekmm(radeonContextPtr radeon, struct radeo
 	fprintf(stderr, "  emit %s %d/%d\n", state->name, dwords, state->cmd_size);
 
 	if (RADEON_DEBUG & DEBUG_VERBOSE) {
+		if (dwords > state->cmd_size)
+			dwords = state->cmd_size;
+
 		for (i = 0; i < dwords;) {
 			cmd = *((drm_r300_cmd_header_t *) &state->cmd[i]);
 			reg = (cmd.packet0.reghi << 8) | cmd.packet0.reglo;
@@ -938,6 +941,8 @@ static void radeon_print_state_atom(radeonContextPtr radeon, struct radeon_state
 	fprintf(stderr, "  emit %s %d/%d\n", state->name, dwords, state->cmd_size);
 
 	if (RADEON_DEBUG & DEBUG_VERBOSE) {
+		if (dwords > state->cmd_size)
+			dwords = state->cmd_size;
 		for (i = 0; i < state->cmd_size;) {
 			packet0 = state->cmd[i];
 			reg = (packet0 & 0x1FFF) << 2;
-- 
cgit v1.2.3