OpenHarmony/third_party_mesa3d
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

util/bitset: Avoid out-of-bounds reads

Browse Source 
I missed a corner case here: when the next range ends right at the end
of the bitset, we need to return immediately to avoid trying to search
after the bitset. And when finding the next end, we similarly need to
bail if the range is size 1 at the very end of the range. In practice
this probably would'nt have been noticed, because it would break out of
the loop anyway, but I happened to be running something using this under
Valgrind and it complained.

Reviewed-by: Eric Anholt <eric@anholt.net>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/10076>
This commit is contained in:
Connor Abbott
2021-02-23 17:30:33 +01:00
committed by Marge Bot
parent 387189a955
commit 8cd7950014
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/util/bitset.h
View File

@@ -165,6 +165,10 @@ __bitset_next_range(unsigned *start, unsigned *end, const BITSET_WORD *set,
* 0-bit after the range. * 0-bit after the range.
*/ */
unsigned word = BITSET_BITWORD(*end); unsigned word = BITSET_BITWORD(*end);
if (word >= BITSET_WORDS(size)) {
*start = *end = size;
return;
}
BITSET_WORD tmp = set[word] & ~(BITSET_BIT(*end) - 1); BITSET_WORD tmp = set[word] & ~(BITSET_BIT(*end) - 1);
while (!tmp) { while (!tmp) {
word++; word++;
@@ -182,6 +186,10 @@ __bitset_next_range(unsigned *start, unsigned *end, const BITSET_WORD *set,
* 0-bit. * 0-bit.
*/ */
word = BITSET_BITWORD(*start + 1); word = BITSET_BITWORD(*start + 1);
if (word >= BITSET_WORDS(size)) {
*end = size;
return;
}
tmp = set[word] | (BITSET_BIT(*start + 1) - 1); tmp = set[word] | (BITSET_BIT(*start + 1) - 1);
while (~tmp == 0) { while (~tmp == 0) {
word++; word++;