From 440129521c36bc2c2e59c462a94394b2f42a847e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jos=C3=A9=20Fonseca?= Date: Thu, 26 Aug 2010 15:30:51 +0100 Subject: [PATCH] draw: Prevent clipped vertices overflow. Some pathological triangles cause a theoritically impossible number of clipped vertices. The clipper will still assert, but at least release builds will not crash, while this problem is further investigated. --- src/gallium/auxiliary/draw/draw_pipe_clip.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/gallium/auxiliary/draw/draw_pipe_clip.c b/src/gallium/auxiliary/draw/draw_pipe_clip.c index 50acc6caedc..a10d8e9edc0 100644 --- a/src/gallium/auxiliary/draw/draw_pipe_clip.c +++ b/src/gallium/auxiliary/draw/draw_pipe_clip.c @@ -263,6 +263,8 @@ do_clip_tri( struct draw_stage *stage, clipmask &= ~(1<= MAX_CLIPPED_VERTICES) + return; inlist[n] = inlist[0]; /* prevent rotation of vertices */ for (i = 1; i <= n; i++) { @@ -272,16 +274,22 @@ do_clip_tri( struct draw_stage *stage, if (!IS_NEGATIVE(dp_prev)) { assert(outcount < MAX_CLIPPED_VERTICES); + if (outcount >= MAX_CLIPPED_VERTICES) + return; outlist[outcount++] = vert_prev; } if (DIFFERENT_SIGNS(dp, dp_prev)) { struct vertex_header *new_vert; - assert(tmpnr < MAX_CLIPPED_VERTICES+1); + assert(tmpnr < MAX_CLIPPED_VERTICES + 1); + if (tmpnr >= MAX_CLIPPED_VERTICES + 1) + return; new_vert = clipper->stage.tmp[tmpnr++]; assert(outcount < MAX_CLIPPED_VERTICES); + if (outcount >= MAX_CLIPPED_VERTICES) + return; outlist[outcount++] = new_vert; if (IS_NEGATIVE(dp)) { @@ -326,6 +334,8 @@ do_clip_tri( struct draw_stage *stage, if (stage->draw->rasterizer->flatshade_first) { if (inlist[0] != header->v[0]) { assert(tmpnr < MAX_CLIPPED_VERTICES + 1); + if (tmpnr >= MAX_CLIPPED_VERTICES + 1) + return; inlist[0] = dup_vert(stage, inlist[0], tmpnr++); copy_colors(stage, inlist[0], header->v[0]); } @@ -333,6 +343,8 @@ do_clip_tri( struct draw_stage *stage, else { if (inlist[0] != header->v[2]) { assert(tmpnr < MAX_CLIPPED_VERTICES + 1); + if (tmpnr >= MAX_CLIPPED_VERTICES + 1) + return; inlist[0] = dup_vert(stage, inlist[0], tmpnr++); copy_colors(stage, inlist[0], header->v[2]); } -- 2.30.2