From 4439dc7e23112b21a38229affe21d8afed83b6e6 Mon Sep 17 00:00:00 2001
From: Patrick Lerda <patrick9876@free.fr>
Date: Fri, 2 Jun 2023 01:33:03 +0200
Subject: [PATCH] r600: fix r600_draw_vbo() buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous implementation was copying the data using the
aligned length (size_dw). The aligned length could overflow
the original buffer size.

For instance, this issue is triggered with "piglit/bin/draw-batch -auto -fbo":
==5736==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff139c77e8 at pc 0x7f25b350a9a0 bp 0x7fff139c6cb0 sp 0x7fff139c6460
READ of size 8 at 0x7fff139c77e8 thread T0
    #0 0x7f25b350a99f in __interceptor_memcpy (/usr/lib64/libasan.so.6+0x3c99f)
    #1 0x7f25a8fcdf24 in radeon_emit_array ../src/gallium/include/winsys/radeon_winsys.h:760
    #2 0x7f25a8fcdf24 in r600_draw_vbo ../src/gallium/drivers/r600/r600_state_common.c:2448
    #3 0x7f25a8ae7ba1 in u_vbuf_draw_vbo ../src/gallium/auxiliary/util/u_vbuf.c:1791
    #4 0x7f25a7bc18ca in _mesa_validated_drawrangeelements ../src/mesa/main/draw.c:1696
    #5 0x7f25a7bc7e53 in _mesa_DrawElements ../src/mesa/main/draw.c:1824

Fixes: 0cf5d1f22620 ("gallium: remove PIPE_CAP_INFO_START_WITH_USER_INDICES and fix all drivers")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23436>
(cherry picked from commit 340311dac9cf6425c3bdfbec1c38ae38f974607b)
---
 .pick_status.json                            | 2 +-
 src/gallium/drivers/r600/r600_state_common.c | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index f61db2c74089..b59db862cb3f 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -490,7 +490,7 @@
         "description": "r600: fix r600_draw_vbo() buffer overflow",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "0cf5d1f22620d67659bbd632a2400c3a6956a011"
     },
diff --git a/src/gallium/drivers/r600/r600_state_common.c b/src/gallium/drivers/r600/r600_state_common.c
index 32c66ca4d0b6..894ace8dd039 100644
--- a/src/gallium/drivers/r600/r600_state_common.c
+++ b/src/gallium/drivers/r600/r600_state_common.c
@@ -2456,7 +2456,9 @@ static void r600_draw_vbo(struct pipe_context *ctx, const struct pipe_draw_info
 			radeon_emit(cs, PKT3(PKT3_DRAW_INDEX_IMMD, 1 + size_dw, render_cond_bit));
 			radeon_emit(cs, draws[0].count);
 			radeon_emit(cs, V_0287F0_DI_SRC_SEL_IMMEDIATE);
-			radeon_emit_array(cs, info->index.user + draws[0].start * index_size, size_dw);
+			memcpy(cs->current.buf + cs->current.cdw,
+			       info->index.user + draws[0].start * index_size, size_bytes);
+			cs->current.cdw += size_dw;
 		} else {
 			uint64_t va = r600_resource(indexbuf)->gpu_address + index_offset;