From c11dcfb5e9b051b9036949b3e40a9dc15138bd97 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Nicolai=20H=C3=A4hnle?= Date: Wed, 22 Feb 2017 14:00:29 +0100 Subject: [PATCH] mesa/main: fix MultiDrawElements[BaseVertex] validation of primcount MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit primcount must be a GLsizei as in the signature for MultiDrawElements or bad things can happen. Furthermore, an error should be flagged when primcount is negative. Curiously, this code used to work somewhat correctly even when primcount was negative, because the loop that checks count[i] would iterate out of bounds and almost certainly hit a negative value at some point. Found by an ASAN error in GL45-CTS.gtf32.GL3Tests.draw_elements_base_vertex.draw_elements_base_vertex_primcount Note that the OpenGL spec seems to have s/primcount/drawcount/ at some point, and the code still reflects the old language. v2: provide the correct spec quotes (pointed out by Ian) Cc: mesa-stable@lists.freedesktop.org Reviewed-by: Marek Olšák (v1) Reviewed-by: Ian Romanick --- src/mesa/main/api_validate.c | 24 ++++++++++++++++++++++-- src/mesa/main/api_validate.h | 2 +- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c index 184bf143edf..44d164ad355 100644 --- a/src/mesa/main/api_validate.c +++ b/src/mesa/main/api_validate.c @@ -724,12 +724,32 @@ GLboolean _mesa_validate_MultiDrawElements(struct gl_context *ctx, GLenum mode, const GLsizei *count, GLenum type, const GLvoid * const *indices, - GLuint primcount) + GLsizei primcount) { - unsigned i; + GLsizei i; FLUSH_CURRENT(ctx, 0); + /* + * Section 2.3.1 (Errors) of the OpenGL 4.5 (Core Profile) spec says: + * + * "If a negative number is provided where an argument of type sizei or + * sizeiptr is specified, an INVALID_VALUE error is generated." + * + * and in the same section: + * + * "In other cases, there are no side effects unless otherwise noted; + * the command which generates the error is ignored so that it has no + * effect on GL state or framebuffer contents." + * + * Hence, check both primcount and all the count[i]. + */ + if (primcount < 0) { + _mesa_error(ctx, GL_INVALID_VALUE, + "glMultiDrawElements(primcount=%d)", primcount); + return GL_FALSE; + } + for (i = 0; i < primcount; i++) { if (count[i] < 0) { _mesa_error(ctx, GL_INVALID_VALUE, diff --git a/src/mesa/main/api_validate.h b/src/mesa/main/api_validate.h index e94f02e4ba5..de520c98dcb 100644 --- a/src/mesa/main/api_validate.h +++ b/src/mesa/main/api_validate.h @@ -57,7 +57,7 @@ extern GLboolean _mesa_validate_MultiDrawElements(struct gl_context *ctx, GLenum mode, const GLsizei *count, GLenum type, const GLvoid * const *indices, - GLuint primcount); + GLsizei primcount); extern GLboolean _mesa_validate_DrawRangeElements(struct gl_context *ctx, GLenum mode, -- 2.30.2