Google Git
Sign in
cos / third_party / overlays / chromiumos-overlay / refs/tags/cos-cherry-pick-R85 / . / x11-libs / libva-intel-media-driver / files / 0014-VP-Fix-memory-corruption-due-to-improper-typecast.patch
blob: 67ce509c9e38cbf83c4d28f19aaae277e777792d [file] [log] [blame]
From a95f4607841574fe7eb511ebf8be4d4c3d946c78 Mon Sep 17 00:00:00 2001
From: Yu Kang Ku <yu.kang.ku@intel.com>
Date: Wed, 11 Mar 2020 22:09:13 -0700
Subject: [PATCH] [VP] Fix memory corruption
When KernelDll_BuildKernel_CmFc() calls cm_fc_combine_kernels()
(see [1]), one of the inputs is &dwEstimatedKernelSize. It is a
uint32_t pointer but is typecasted to a size_t pointer.
On platforms where size_t is a 64-bit integer, subsequent write
operations using this size_t pointer results in 4 bytes of
memory corruption.
[1] https://github.com/intel/media-driver/blob/master/media_driver/agnostic/common/vp/kdll/hal_kerneldll.c#L5045
(cherry picked from commit 3783175d95a4d27cc3be6d69e144b5f7d521cbbf)
---
.../agnostic/common/vp/kdll/hal_kerneldll.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/media_driver/agnostic/common/vp/kdll/hal_kerneldll.c b/media_driver/agnostic/common/vp/kdll/hal_kerneldll.c
index 7532c736..bd530007 100644
--- a/media_driver/agnostic/common/vp/kdll/hal_kerneldll.c
+++ b/media_driver/agnostic/common/vp/kdll/hal_kerneldll.c
@@ -4915,7 +4915,7 @@ bool KernelDll_BuildKernel_CmFc(Kdll_State *pState, Kdll_SearchState *pSearchSta
int32_t iOffset;
uint32_t dwResolveOffset[DL_MAX_EXPORT_COUNT];
uint32_t dwTotalKernelCount;
- uint32_t dwEstimatedKernelSize;
+ size_t stEstimatedKernelSize;
int32_t iKUID;
bool bResolveDone;
int32_t i;
@@ -4946,7 +4946,7 @@ bool KernelDll_BuildKernel_CmFc(Kdll_State *pState, Kdll_SearchState *pSearchSta
MOS_ZeroMemory(Cm_Fc_kernels, sizeof(Cm_Fc_kernels));
dwTotalKernelCount = 0;
- dwEstimatedKernelSize = 0;
+ stEstimatedKernelSize = 0;
#if EMUL || VPHAL_LIB || _DEBUG
VPHAL_RENDER_NORMALMESSAGE("Component Kernels:");
@@ -4964,7 +4964,7 @@ bool KernelDll_BuildKernel_CmFc(Kdll_State *pState, Kdll_SearchState *pSearchSta
// Append/Patch kernel from internal cache
res = Kdll_AddKernelList(pKernelCache, pPatchCache, pSearchState, *pKernelID, pKernelPatch, pPatchData, &Cm_Fc_kernels[dwTotalKernelCount]);
- dwEstimatedKernelSize += Cm_Fc_kernels[dwTotalKernelCount].binary_size;
+ stEstimatedKernelSize += Cm_Fc_kernels[dwTotalKernelCount].binary_size;
if (*pKernelID == IDR_VP_EOT)
{
@@ -5031,17 +5031,17 @@ bool KernelDll_BuildKernel_CmFc(Kdll_State *pState, Kdll_SearchState *pSearchSta
} // for
} while (!bResolveDone);
- if (dwEstimatedKernelSize > DL_MAX_KERNEL_SIZE)
+ if (stEstimatedKernelSize > DL_MAX_KERNEL_SIZE)
{
res = false;
VPHAL_RENDER_NORMALMESSAGE("Kernel size exceeded kdll limitatin.");
goto finish;
}
- dwEstimatedKernelSize = DL_MAX_KERNEL_SIZE;
+ stEstimatedKernelSize = DL_MAX_KERNEL_SIZE;
// Get combine kernel binary from CMFC lib
- if (CM_FC_OK != cm_fc_combine_kernels(dwTotalKernelCount, Cm_Fc_kernels, (char *)pSearchState->Kernel, (size_t *)&dwEstimatedKernelSize, nullptr))
+ if (CM_FC_OK != cm_fc_combine_kernels(dwTotalKernelCount, Cm_Fc_kernels, (char *)pSearchState->Kernel, &stEstimatedKernelSize, nullptr))
{
res = false;
VPHAL_RENDER_NORMALMESSAGE("cm_fc_combine_kernels() function call failed.");
@@ -5049,7 +5049,7 @@ bool KernelDll_BuildKernel_CmFc(Kdll_State *pState, Kdll_SearchState *pSearchSta
}
// Get combine kernel binary size from CMFC lib
- pSearchState->KernelSize = dwEstimatedKernelSize;
+ pSearchState->KernelSize = (int) stEstimatedKernelSize;
res = true;
--
2.26.2