From: Roland Scheidegger Date: Fri, 2 Nov 2012 15:48:49 +0000 (+0100) Subject: draw: fix crashes with out-of-bounds indices X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=94f9ea03a12fe1adf90c0e5defb0063cd568b537;p=mesa.git draw: fix crashes with out-of-bounds indices The passthrough pipeline needs to check index values (which might be passed through) as they can be invalid (which causes crashes and various assertion failures if the clip code runs). Obviously, rendering won't be well-defined, but those bogus indices might come directly from apps. There were already debug printfs which reported the out-of-bounds indices but we really ought to not crash. While checking at that point doesn't seem like the most efficient solution, it seems there isn't really another appropriate function to do it. Reviewed-by: Brian Paul Reviewed-by: José Fonseca --- diff --git a/src/gallium/auxiliary/draw/draw_pipe.c b/src/gallium/auxiliary/draw/draw_pipe.c index d754504f200..ac449b75f00 100644 --- a/src/gallium/auxiliary/draw/draw_pipe.c +++ b/src/gallium/auxiliary/draw/draw_pipe.c @@ -33,6 +33,7 @@ #include "draw/draw_private.h" #include "draw/draw_pipe.h" #include "util/u_debug.h" +#include "util/u_math.h" @@ -193,7 +194,7 @@ static void do_triangle( struct draw_context *draw, do_point( draw, verts + stride * (i0) ); \ } while (0) -#define GET_ELT(idx) (elts[idx]) +#define GET_ELT(idx) (MIN2(elts[idx], max_index)) #define FUNC pipe_run_elts #define FUNC_VARS \ @@ -203,7 +204,8 @@ static void do_triangle( struct draw_context *draw, struct vertex_header *vertices, \ unsigned stride, \ const ushort *elts, \ - unsigned count + unsigned count, \ + unsigned max_index #include "draw_pt_decompose.h" @@ -262,7 +264,8 @@ void draw_pipeline_run( struct draw_context *draw, vert_info->verts, vert_info->stride, prim_info->elts + start, - count); + count, + vert_info->count - 1); } draw->pipeline.verts = NULL; diff --git a/src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h b/src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h index 75cbec87bed..2e94705609f 100644 --- a/src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h +++ b/src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h @@ -55,7 +55,7 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit, for (i = 0; i < icount; i++) { ELT_TYPE idx = ib[i]; - if (idx < min_index || idx > max_index) { + if (idx < min_index || idx > max_index) { debug_printf("warning: index out of range\n"); } } @@ -90,7 +90,7 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit, if (idx < min_index || idx > max_index) { debug_printf("warning: index out of range\n"); - } + } vsplit->draw_elts[i] = (ushort) idx; } } @@ -100,7 +100,7 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit, if (idx < min_index || idx > max_index) { debug_printf("warning: index out of range\n"); - } + } vsplit->draw_elts[i] = (ushort) (idx - min_index); } }