From 4ff816751f74b0645c198372937eec589c458a60 Mon Sep 17 00:00:00 2001
From: Eric Anholt <eric@anholt.net>
Date: Wed, 29 Jul 2009 22:39:15 -0700
Subject: i915: Bail when the fragment program has too many total instructions.

Previously, we'd go trashing the heap.
---
 src/mesa/drivers/dri/i915/i915_program.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'src/mesa/drivers/dri/i915')

diff --git a/src/mesa/drivers/dri/i915/i915_program.c b/src/mesa/drivers/dri/i915/i915_program.c
index 85a1b0cf5d..6ccc9eea3e 100644
--- a/src/mesa/drivers/dri/i915/i915_program.c
+++ b/src/mesa/drivers/dri/i915/i915_program.c
@@ -186,6 +186,11 @@ i915_emit_arith(struct i915_fragment_program * p,
       p->utemp_flag = old_utemp_flag;   /* restore */
    }
 
+   if (p->csr >= p->program + I915_PROGRAM_SIZE) {
+      i915_program_error(p, "Program contains too many instructions");
+      return UREG_BAD;
+   }
+
    *(p->csr++) = (op | A0_DEST(dest) | mask | saturate | A0_SRC0(src0));
    *(p->csr++) = (A1_SRC0(src0) | A1_SRC1(src1));
    *(p->csr++) = (A2_SRC1(src1) | A2_SRC2(src2));
@@ -270,6 +275,11 @@ GLuint i915_emit_texld( struct i915_fragment_program *p,
 	  p->register_phases[GET_UREG_NR(coord)] == p->nr_tex_indirect)
 	 p->nr_tex_indirect++;
 
+      if (p->csr >= p->program + I915_PROGRAM_SIZE) {
+	 i915_program_error(p, "Program contains too many instructions");
+	 return UREG_BAD;
+      }
+
       *(p->csr++) = (op | 
 		     T0_DEST( dest ) |
 		     T0_SAMPLER( sampler ));
-- 
cgit v1.2.3