In get_tex_memcpy, when copying texture data directly from source
to destination (when row strides match for both src and dst), the
copy size is currently calculated using the full texture height
instead of the sub-region height parameter that was passed.
This can cause a read past the end of the mapped buffer when y-offset
is greater than zero, leading to a segfault.
Fixes CTS test (from crash to pass):
* GL45-CTS/get_texture_sub_image/functional_test
v2: (Jason) Use the passed 'height' instead of copying til the
end of the buffer (tex-height - yoffset).
---
src/mesa/main/texgetimage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mesa/main/texgetimage.c b/src/mesa/main/texgetimage.c
index b900278..0186819 100644
--- a/src/mesa/main/texgetimage.c
+++ b/src/mesa/main/texgetimage.c
@@ -654,7 +654,7 @@ get_tex_memcpy(struct gl_context *ctx,
if (src) {
if (bytesPerRow == dstRowStride && bytesPerRow == srcRowStride) {
- memcpy(dst, src, bytesPerRow * texImage->Height);
+ memcpy(dst, src, bytesPerRow * height);
}
else {
GLuint row;
--
2.10.2
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev
