Fix texture sampling buffer overrun.

Sampling byte4 data currently reads 8 bytes for unpacking purposes.
Allocate 4 more bytes to prevent reading outside the image, even
though it's unused data.

Bug 21935792

Change-Id: I162fb3f3575131cedb008f82ef5170e773719e41
Reviewed-on: https://swiftshader-review.googlesource.com/3572
Reviewed-by: Alexis Hétu <sugoi@google.com>
Tested-by: Nicolas Capens <capn@google.com>
Reviewed-by: Nicolas Capens <capn@google.com>

diff --git a/src/Renderer/Surface.cpp b/src/Renderer/Surface.cpp
index 300ce35..40aa920 100644 (file)
--- a/src/Renderer/Surface.cpp
+++ b/src/Renderer/Surface.cpp
@@ -2382,7 +2382,9 @@ namespace sw
                int width2 = (width + 1) & ~1;
                int height2 = (height + 1) & ~1;
 
-               return allocateZero(size(width2, height2, depth, format));
+               // FIXME: Unpacking byte4 to short4 in the sampler currently involves reading 8 bytes,
+               // so we have to allocate 4 extra bytes to avoid buffer overruns.
+               return allocateZero(size(width2, height2, depth, format) + 4);
        }
 
        void Surface::memfill4(void *buffer, int pattern, int bytes)