From 1773611c526844cecee84dd8c8241f888666aa1c Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Thu, 16 Jan 2014 16:53:45 +0000 Subject: [PATCH] nv50: assert before trying to out-of-bounds access vtxbuf Signed-off-by: Emil Velikov Reviewed-by: Ilia Mirkin --- src/gallium/drivers/nouveau/nv50/nv50_context.c | 2 ++ src/gallium/drivers/nouveau/nv50/nv50_push.c | 1 + src/gallium/drivers/nouveau/nv50/nv50_vbo.c | 12 +++++++++++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/nouveau/nv50/nv50_context.c b/src/gallium/drivers/nouveau/nv50/nv50_context.c index 9ea425e4c9b..a4ec93a7a08 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_context.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_context.c @@ -80,6 +80,7 @@ nv50_context_unreference_resources(struct nv50_context *nv50) util_unreference_framebuffer_state(&nv50->framebuffer); + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS); for (i = 0; i < nv50->num_vtxbufs; ++i) pipe_resource_reference(&nv50->vtxbuf[i].buffer, NULL); @@ -149,6 +150,7 @@ nv50_invalidate_resource_storage(struct nouveau_context *ctx, } if (res->bind & PIPE_BIND_VERTEX_BUFFER) { + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS); for (i = 0; i < nv50->num_vtxbufs; ++i) { if (nv50->vtxbuf[i].buffer == res) { nv50->dirty |= NV50_NEW_ARRAYS; diff --git a/src/gallium/drivers/nouveau/nv50/nv50_push.c b/src/gallium/drivers/nouveau/nv50/nv50_push.c index 3e9a4096cf0..a3a397c52c1 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_push.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_push.c @@ -219,6 +219,7 @@ nv50_push_vbo(struct nv50_context *nv50, const struct pipe_draw_info *info) ctx.packet_vertex_limit = nv50->vertex->packet_vertex_limit; ctx.vertex_words = nv50->vertex->vertex_size; + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS); for (i = 0; i < nv50->num_vtxbufs; ++i) { const struct pipe_vertex_buffer *vb = &nv50->vtxbuf[i]; const uint8_t *data; diff --git a/src/gallium/drivers/nouveau/nv50/nv50_vbo.c b/src/gallium/drivers/nouveau/nv50/nv50_vbo.c index 947c67d6a75..1dcccfe0806 100644 --- a/src/gallium/drivers/nouveau/nv50/nv50_vbo.c +++ b/src/gallium/drivers/nouveau/nv50/nv50_vbo.c @@ -192,6 +192,7 @@ static INLINE void nv50_user_vbuf_range(struct nv50_context *nv50, int vbi, uint32_t *base, uint32_t *size) { + assert(vbi < PIPE_MAX_ATTRIBS); if (unlikely(nv50->vertex->instance_bufs & (1 << vbi))) { /* TODO: use min and max instance divisor to get a proper range */ *base = 0; @@ -211,6 +212,7 @@ nv50_upload_user_buffers(struct nv50_context *nv50, { unsigned b; + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS); for (b = 0; b < nv50->num_vtxbufs; ++b) { struct nouveau_bo *bo; const struct pipe_vertex_buffer *vb = &nv50->vtxbuf[b]; @@ -241,9 +243,12 @@ nv50_update_user_vbufs(struct nv50_context *nv50) for (i = 0; i < nv50->vertex->num_elements; ++i) { struct pipe_vertex_element *ve = &nv50->vertex->element[i].pipe; const unsigned b = ve->vertex_buffer_index; - struct pipe_vertex_buffer *vb = &nv50->vtxbuf[b]; + struct pipe_vertex_buffer *vb; uint32_t base, size; + assert(b < PIPE_MAX_ATTRIBS); + vb = &nv50->vtxbuf[b]; + if (!(nv50->vbo_user & (1 << b))) continue; @@ -306,6 +311,7 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50) if (!nv50->vbo_fifo) { /* if vertex buffer was written by GPU - flush VBO cache */ + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS); for (i = 0; i < nv50->num_vtxbufs; ++i) { struct nv04_resource *buf = nv04_resource(nv50->vtxbuf[i].buffer); if (buf && buf->status & NOUVEAU_BUFFER_STATUS_GPU_WRITING) { @@ -332,6 +338,8 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50) } for (i = 0; i < vertex->num_elements; ++i) { const unsigned b = vertex->element[i].pipe.vertex_buffer_index; + + assert(b < PIPE_MAX_ATTRIBS); ve = &vertex->element[i]; vb = &nv50->vtxbuf[b]; @@ -360,6 +368,8 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50) for (i = 0; i < vertex->num_elements; ++i) { uint64_t address, limit; const unsigned b = vertex->element[i].pipe.vertex_buffer_index; + + assert(b < PIPE_MAX_ATTRIBS); ve = &vertex->element[i]; vb = &nv50->vtxbuf[b]; -- 2.30.2