From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
Date: Fri, 5 Jul 2019 12:57:29 +0000 (+0200)
Subject: radeonsi: verify buffer_offset value before using it
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=ed98f8a63a578a425a1af641baa54ea4ad855775;p=mesa.git

radeonsi: verify buffer_offset value before using it

This buffer_ofset can come directly from the application (e.g: when using
glVertexAttribPointer) and can contain an invalid value.

st_atom_array already makes sure that if it's not negative so all that's left
is to verify that it's smaller that the buffer size.

Bugs related to this issue:

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105251#c52
Bugzilla: https://bugzilla.freedesktop.org/show_bug.cgi?id=109693
Signed-off-by: Marek Olšák <marek.olsak@amd.com>
---

diff --git a/src/gallium/drivers/radeonsi/si_descriptors.c b/src/gallium/drivers/radeonsi/si_descriptors.c
index ca58ec6577c..f7bd589e6d3 100644
--- a/src/gallium/drivers/radeonsi/si_descriptors.c
+++ b/src/gallium/drivers/radeonsi/si_descriptors.c
@@ -1160,6 +1160,13 @@ bool si_upload_vertex_buffer_descriptors(struct si_context *sctx)
 
 		int64_t offset = (int64_t)((int)vb->buffer_offset) +
 				 velems->src_offset[i];
+
+		if (offset >= buf->b.b.width0) {
+			assert(offset < buf->b.b.width0);
+			memset(desc, 0, 16);
+			continue;
+		}
+
 		uint64_t va = buf->gpu_address + offset;
 
 		int64_t num_records = (int64_t)buf->b.b.width0 - offset;