From: Juan A. Suarez Romero <jasuarez@igalia.com>
Date: Thu, 21 Apr 2022 14:26:39 +0000 (+0200)
Subject: v3dv: duplicate key on hashtable insert
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=697e98c66e5ab10506b4a95c3e849c5d60d8e1a1;p=platform%2Fupstream%2Fmesa.git

v3dv: duplicate key on hashtable insert

The key is created on stack, so as soon as the function returns this key
is lost, so the inserted key in the hashtable is invalid.

Rather, insert a duplicated version on heap.

This fixes a stack-buffer-overflow when running some Vulkan CTS tests.

Signed-off-by: Juan A. Suarez Romero <jasuarez@igalia.com>
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/16083>
---

diff --git a/src/broadcom/vulkan/v3dv_meta_copy.c b/src/broadcom/vulkan/v3dv_meta_copy.c
index c474b50..a3a0eb4 100644
--- a/src/broadcom/vulkan/v3dv_meta_copy.c
+++ b/src/broadcom/vulkan/v3dv_meta_copy.c
@@ -1885,7 +1885,7 @@ get_copy_texel_buffer_pipeline(
    mtx_lock(&device->meta.mtx);
    struct hash_entry *entry =
       _mesa_hash_table_search(device->meta.texel_buffer_copy.cache[image_type],
-                              &key);
+                              key);
    if (entry) {
       mtx_unlock(&device->meta.mtx);
       *pipeline = entry->data;
@@ -1914,8 +1914,10 @@ get_copy_texel_buffer_pipeline(
    if (!ok)
       goto fail;
 
+   uint8_t *dupkey = malloc(V3DV_META_TEXEL_BUFFER_COPY_CACHE_KEY_SIZE);
+   memcpy(dupkey, key, V3DV_META_TEXEL_BUFFER_COPY_CACHE_KEY_SIZE);
    _mesa_hash_table_insert(device->meta.texel_buffer_copy.cache[image_type],
-                           &key, *pipeline);
+                           dupkey, *pipeline);
 
    mtx_unlock(&device->meta.mtx);
    return true;