st/nine: Fix the number of texture stages

The number of texture stages is 8.

'tex_stage' array was too big, and thus
the checks with 'Elements(state->ff.tex_stage)' were passing,
causing some invalid API calls to pass, and crash because of
out of bounds write since bumpmap_vars was just the correct size.

Signed-off-by: Axel Davy <axel.davy@ens.fr>

diff --git a/src/gallium/state_trackers/nine/nine_state.h b/src/gallium/state_trackers/nine/nine_state.h
index 4351e3e6ec7f6cfcb8c110f0bb0b1afee4a6e2d3..b34da70ef486c2c66681bc71e6a772175e74d1e1 100644 (file)
--- a/src/gallium/state_trackers/nine/nine_state.h
+++ b/src/gallium/state_trackers/nine/nine_state.h
@@ -102,6 +102,8 @@
      NINE_MAX_CONST_I * 4 * sizeof(int))
 
 
+#define NINE_MAX_TEXTURE_STAGES 8
+
 #define NINE_MAX_LIGHTS        65536
 #define NINE_MAX_LIGHTS_ACTIVE 8
 
@@ -156,7 +158,7 @@ struct nine_state
     int    ps_const_i[NINE_MAX_CONST_I][4];
     BOOL   ps_const_b[NINE_MAX_CONST_B];
     float *ps_lconstf_temp;
-    uint32_t bumpmap_vars[48];
+    uint32_t bumpmap_vars[6 * NINE_MAX_TEXTURE_STAGES];
 
     struct {
         void *vs;
@@ -191,7 +193,7 @@ struct nine_state
     struct {
         struct {
             uint32_t group;
-            uint32_t tex_stage[NINE_MAX_SAMPLERS][(NINED3DTSS_COUNT + 31) / 32];
+            uint32_t tex_stage[NINE_MAX_TEXTURE_STAGES][(NINED3DTSS_COUNT + 31) / 32];
             uint32_t transform[(NINED3DTS_COUNT + 31) / 32];
         } changed;
 
@@ -208,7 +210,7 @@ struct nine_state
 
         D3DMATERIAL9 material;
 
-        DWORD tex_stage[NINE_MAX_SAMPLERS][NINED3DTSS_COUNT];
+        DWORD tex_stage[NINE_MAX_TEXTURE_STAGES][NINED3DTSS_COUNT];
     } ff;
 
     uint32_t commit;

diff --git a/src/gallium/state_trackers/nine/stateblock9.c b/src/gallium/state_trackers/nine/stateblock9.c
index 032b9ffcbf0862161c4af16b1f66e8c1184e49b7..6d6e1be0b7fc2342323cc19206e7a8e163ed88a3 100644 (file)
--- a/src/gallium/state_trackers/nine/stateblock9.c
+++ b/src/gallium/state_trackers/nine/stateblock9.c
@@ -251,7 +251,7 @@ nine_state_copy_common(struct nine_state *dst,
         dst->ff.material = src->ff.material;
 
     if (mask->changed.group & NINE_STATE_FF_PSSTAGES) {
-        for (s = 0; s < NINE_MAX_SAMPLERS; ++s) {
+        for (s = 0; s < NINE_MAX_TEXTURE_STAGES; ++s) {
             for (i = 0; i < NINED3DTSS_COUNT; ++i)
                 if (mask->ff.changed.tex_stage[s][i / 32] & (1 << (i % 32)))
                     dst->ff.tex_stage[s][i] = src->ff.tex_stage[s][i];