From: Tapani Pälli Date: Thu, 14 Feb 2019 07:02:31 +0000 (+0200) Subject: mesa: return NULL if we exceed MaxColorAttachments in get_fb_attachment X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=9762a9f89380a8070654a80e73d927297c29da35;p=mesa.git mesa: return NULL if we exceed MaxColorAttachments in get_fb_attachment This fixes invalid access to Attachment array which would occur if caller would exceed MaxColorAttachments. In practice this should not ever happen because DiscardFramebufferEXT specifies only GL_COLOR_ATTACHMENT0 to be valid and InvalidateFramebuffer will error out before but this should make coverity happy. v2: const, remove _EXT (Ian) CID: 1442559 Fixes: 0c42b5f3cb9 "mesa: wire up InvalidateFramebuffer" Signed-off-by: Tapani Pälli Reviewed-by: Ian Romanick --- diff --git a/src/mesa/main/fbobject.c b/src/mesa/main/fbobject.c index 87c33be7854..341fd93efc6 100644 --- a/src/mesa/main/fbobject.c +++ b/src/mesa/main/fbobject.c @@ -4663,8 +4663,12 @@ get_fb_attachment(struct gl_context *ctx, struct gl_framebuffer *fb, case GL_COLOR_ATTACHMENT12: case GL_COLOR_ATTACHMENT13: case GL_COLOR_ATTACHMENT14: - case GL_COLOR_ATTACHMENT15: - return &fb->Attachment[BUFFER_COLOR0 + attachment - GL_COLOR_ATTACHMENT0]; + case GL_COLOR_ATTACHMENT15: { + const unsigned i = attachment - GL_COLOR_ATTACHMENT0; + if (i >= ctx->Const.MaxColorAttachments) + return NULL; + return &fb->Attachment[BUFFER_COLOR0 + i]; + } case GL_DEPTH: case GL_DEPTH_ATTACHMENT: case GL_DEPTH_STENCIL_ATTACHMENT: