[PATCH 0/1] MR7710: d3d10/effect: Fix constant buffer overrun when updating expression constants (ASan). - Wine-gitlab - list.winehq.org

newer
[PATCH 0/5] MR7742: Cmd engine...

[PATCH 0/1] MR7710: d3d10/effect: Fix constant buffer overrun when updating expression constants (ASan).

older
[PATCH 0/1] MR7703: d2d1: Add...

Nikolay Sivov (＠nsivov)

1 Apr 2025 1 Apr '25

10 a.m.

Signed-off-by: Nikolay Sivov <nsivov(a)codeweavers.com> -- https://gitlab.winehq.org/wine/wine/-/merge_requests/7710

Reply

Sign in to reply online Use email software

Show replies by date

Nikolay Sivov

1 Apr 1 Apr

10 a.m.

New subject: [PATCH 1/1] d3d10/effect: Fix constant buffer overrun when updating expression constants (ASan).

From: Nikolay Sivov <nsivov(a)codeweavers.com> Signed-off-by: Nikolay Sivov <nsivov(a)codeweavers.com> --- dlls/d3d10/effect.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/dlls/d3d10/effect.c b/dlls/d3d10/effect.c index 02e71e4dcee..f27a128f15d 100644 --- a/dlls/d3d10/effect.c +++ b/dlls/d3d10/effect.c @@ -940,8 +940,13 @@ static HRESULT d3d10_effect_preshader_eval(struct d3d10_effect_preshader *p) for (i = 0; i < p->vars_count; ++i) { struct d3d10_ctab_var *v = &p->vars[i]; - memcpy(dst + v->offset, v->v->buffer->u.buffer.local_buffer + v->v->buffer_offset, - v->length * sizeof(*dst)); + size_t size; + + /* Constant table variables are allocated at register granularity. + Corresponding constant buffer variables does not share same alignment, + overall buffer size alignment to 16 bytes also does not help. */ + size = min(v->length * sizeof(*dst), v->v->type->size_unpacked); + memcpy(dst + v->offset, v->v->buffer->u.buffer.local_buffer + v->v->buffer_offset, size); } instr_count = *ip++; -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/7710

Reply

Sign in to reply online Use email software

Matteo Bruni (＠Mystral)

4 Apr 4 Apr

12:45 p.m.

Matteo Bruni (@Mystral) commented about dlls/d3d10/effect.c:

for (i = 0; i < p->vars_count; ++i) { struct d3d10_ctab_var *v = &p->vars[i]; - memcpy(dst + v->offset, v->v->buffer->u.buffer.local_buffer + v->v->buffer_offset, - v->length * sizeof(*dst)); + size_t size; + + /* Constant table variables are allocated at register granularity. + Corresponding constant buffer variables does not share same alignment, + overall buffer size alignment to 16 bytes also does not help. */ + size = min(v->length * sizeof(*dst), v->v->type->size_unpacked); + memcpy(dst + v->offset, v->v->buffer->u.buffer.local_buffer + v->v->buffer_offset, size);

Double checking I understand this correctly: this fixes a potential out of bounds while *reading from* `local_buffer`? -- https://gitlab.winehq.org/wine/wine/-/merge_requests/7710#note_99992

Reply

Sign in to reply online Use email software

Matteo Bruni (＠Mystral)

12:45 p.m.

New subject: [PATCH 0/1] MR7710: d3d10/effect: Fix constant buffer overrun when updating expression constants (ASan). - approved

This merge request was approved by Matteo Bruni. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/7710

Reply

Sign in to reply online Use email software

Nikolay Sivov (＠nsivov)

12:49 p.m.

On Fri Apr 4 12:45:46 2025 +0000, Matteo Bruni wrote:

Double checking I understand this correctly: this fixes a potential out of bounds while *reading from* `local_buffer`? Correct.

-- https://gitlab.winehq.org/wine/wine/-/merge_requests/7710#note_99994

Reply

Sign in to reply online Use email software

257

Age (days ago)

260

Last active (days ago)

Download

4 comments

3 participants

tags

participants (3)

Matteo Bruni (＠Mystral)
Nikolay Sivov
Nikolay Sivov (＠nsivov)