Reading p+1 when p==end is an out of bounds read.
Signed-off-by: Rebecca Palmer <[email protected]>
---
(Found by valgrind while investigating #90472; probably not the
actual cause of that crash, but still a bug.)
diff --git a/backend/src/llvm/llvm_printf_parser.cpp
b/backend/src/llvm/llvm_printf_parser.cpp
index bdaed8a..f427107 100644
--- a/backend/src/llvm/llvm_printf_parser.cpp
+++ b/backend/src/llvm/llvm_printf_parser.cpp
@@ -229,7 +229,7 @@ again:
printf("string end with %%\n");
goto error;
}
- if (*(p + 1) == '%') { // %%
+ if (p + 1 < end && *(p + 1) == '%') { // %%
p += 2;
goto again;
}
_______________________________________________
Beignet mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/beignet
