From 7d39ff44a2256a08fac725ae0ee8a4475fbf9de5 Mon Sep 17 00:00:00 2001 From: Micael Dias Date: Thu, 30 Jun 2011 03:33:47 +0100 Subject: [PATCH] Gallium: fix buffer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: José Fonseca --- src/gallium/auxiliary/draw/draw_llvm.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/gallium/auxiliary/draw/draw_llvm.c b/src/gallium/auxiliary/draw/draw_llvm.c index 56c26f57cce..f33c9078c9c 100644 --- a/src/gallium/auxiliary/draw/draw_llvm.c +++ b/src/gallium/auxiliary/draw/draw_llvm.c @@ -1163,6 +1163,7 @@ draw_llvm_generate(struct draw_llvm *llvm, struct draw_llvm_variant *variant) struct lp_build_loop_state lp_loop; const int max_vertices = 4; LLVMValueRef outputs[PIPE_MAX_SHADER_OUTPUTS][NUM_CHANNELS]; + LLVMValueRef fetch_max; void *code; struct lp_build_sampler_soa *sampler = 0; LLVMValueRef ret, ret_ptr; @@ -1234,6 +1235,10 @@ draw_llvm_generate(struct draw_llvm *llvm, struct draw_llvm_variant *variant) draw_llvm_variant_key_samplers(&variant->key), context_ptr); + fetch_max = LLVMBuildSub(builder, count, + lp_build_const_int32(gallivm, 1), + "fetch_max"); + #if DEBUG_STORE lp_build_printf(builder, "start = %d, end = %d, step = %d\n", start, end, step); @@ -1257,6 +1262,12 @@ draw_llvm_generate(struct draw_llvm *llvm, struct draw_llvm_variant *variant) builder, lp_loop.counter, lp_build_const_int32(gallivm, i), ""); + + /* make sure we're not out of bounds which can happen + * if fetch_count % 4 != 0, because on the last iteration + * a few of the 4 vertex fetches will be out of bounds */ + true_index = lp_build_min(&bld, true_index, fetch_max); + for (j = 0; j < draw->pt.nr_vertex_elements; ++j) { struct pipe_vertex_element *velem = &draw->pt.vertex_element[j]; LLVMValueRef vb_index = lp_build_const_int32(gallivm, velem->vertex_buffer_index); -- 2.30.2