draw: check for integer overflows in instance computation

Integers could easily overflow is the starting instance
was large enough. Instead of letting bogus counts through
set the instance to max if it overflown and let our
regular buffer overflow computation handle it.

Signed-off-by: Zack Rusin <zackr@vmware.com>

diff --git a/src/gallium/auxiliary/draw/draw_llvm.c b/src/gallium/auxiliary/draw/draw_llvm.c
index c1b4acd25a864d43bef7cd6b4abfc78729469449..33cccfe99aa5e6e0f7ef7c98164c11c61e06996e 100644 (file)
--- a/src/gallium/auxiliary/draw/draw_llvm.c
+++ b/src/gallium/auxiliary/draw/draw_llvm.c
@@ -768,6 +768,7 @@ generate_fetch(struct gallivm_state *gallivm,
                         lp_build_const_int32(
                            gallivm,
                            util_format_get_blocksize(velem->src_format)));
+   lp_build_printf(gallivm, "   instance_id = %u\n", instance_id);
    lp_build_printf(gallivm, "   stride = %u\n", stride);
    lp_build_printf(gallivm, "   buffer size = %u\n", buffer_size);
    lp_build_printf(gallivm, "   needed_buffer_size = %u\n", needed_buffer_size);

diff --git a/src/gallium/auxiliary/draw/draw_pt.c b/src/gallium/auxiliary/draw/draw_pt.c
index e0b8007a4f5e02b56e4f255305f626bd2d5db06b..c4d06de84bb57770274bac3877eb4820093b037c 100644 (file)
--- a/src/gallium/auxiliary/draw/draw_pt.c
+++ b/src/gallium/auxiliary/draw/draw_pt.c
@@ -533,6 +533,12 @@ draw_vbo(struct draw_context *draw,
 
    for (instance = 0; instance < info->instance_count; instance++) {
       draw->instance_id = instance + info->start_instance;
+      /* check for overflow */
+      if (draw->instance_id < instance ||
+          draw->instance_id < info->start_instance) {
+         /* if we overflown just set the instance id to the max */
+         draw->instance_id = 0xffffffff;
+      }
 
       draw_new_instance(draw);