From 94f9ea03a12fe1adf90c0e5defb0063cd568b537 Mon Sep 17 00:00:00 2001 From: Roland Scheidegger Date: Fri, 2 Nov 2012 16:48:49 +0100 Subject: [PATCH] draw: fix crashes with out-of-bounds indices MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The passthrough pipeline needs to check index values (which might be passed through) as they can be invalid (which causes crashes and various assertion failures if the clip code runs). Obviously, rendering won't be well-defined, but those bogus indices might come directly from apps. There were already debug printfs which reported the out-of-bounds indices but we really ought to not crash. While checking at that point doesn't seem like the most efficient solution, it seems there isn't really another appropriate function to do it. Reviewed-by: Brian Paul Reviewed-by: José Fonseca --- src/gallium/auxiliary/draw/draw_pipe.c | 9 ++++++--- src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h | 6 +++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/gallium/auxiliary/draw/draw_pipe.c b/src/gallium/auxiliary/draw/draw_pipe.c index d754504f200..ac449b75f00 100644 --- a/src/gallium/auxiliary/draw/draw_pipe.c +++ b/src/gallium/auxiliary/draw/draw_pipe.c @@ -33,6 +33,7 @@ #include "draw/draw_private.h" #include "draw/draw_pipe.h" #include "util/u_debug.h" +#include "util/u_math.h" @@ -193,7 +194,7 @@ static void do_triangle( struct draw_context *draw, do_point( draw, verts + stride * (i0) ); \ } while (0) -#define GET_ELT(idx) (elts[idx]) +#define GET_ELT(idx) (MIN2(elts[idx], max_index)) #define FUNC pipe_run_elts #define FUNC_VARS \ @@ -203,7 +204,8 @@ static void do_triangle( struct draw_context *draw, struct vertex_header *vertices, \ unsigned stride, \ const ushort *elts, \ - unsigned count + unsigned count, \ + unsigned max_index #include "draw_pt_decompose.h" @@ -262,7 +264,8 @@ void draw_pipeline_run( struct draw_context *draw, vert_info->verts, vert_info->stride, prim_info->elts + start, - count); + count, + vert_info->count - 1); } draw->pipeline.verts = NULL; diff --git a/src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h b/src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h index 75cbec87bed..2e94705609f 100644 --- a/src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h +++ b/src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h @@ -55,7 +55,7 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit, for (i = 0; i < icount; i++) { ELT_TYPE idx = ib[i]; - if (idx < min_index || idx > max_index) { + if (idx < min_index || idx > max_index) { debug_printf("warning: index out of range\n"); } } @@ -90,7 +90,7 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit, if (idx < min_index || idx > max_index) { debug_printf("warning: index out of range\n"); - } + } vsplit->draw_elts[i] = (ushort) idx; } } @@ -100,7 +100,7 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit, if (idx < min_index || idx > max_index) { debug_printf("warning: index out of range\n"); - } + } vsplit->draw_elts[i] = (ushort) (idx - min_index); } } -- 2.30.2