mesa: fix out of bounds access in glGetFramebufferParameterivEXT

[mesa.git] / src / mesa / main / fbobject.c

diff --git a/src/mesa/main/fbobject.c b/src/mesa/main/fbobject.c
index ea89565cfe2a4ee45f8ed5e8fafc9f0e90cfdba1..55f2fe9bf426dacc1da587562ee8a4181ac3d252 100644 (file)
--- a/src/mesa/main/fbobject.c
+++ b/src/mesa/main/fbobject.c
@@ -174,21 +174,16 @@ _mesa_lookup_framebuffer_dsa(struct gl_context *ctx, GLuint id,
    /* Name exists but buffer is not initialized */
    if (fb == &DummyFramebuffer) {
       fb = ctx->Driver.NewFramebuffer(ctx, id);
-      _mesa_HashLockMutex(ctx->Shared->FrameBuffers);
       _mesa_HashInsert(ctx->Shared->FrameBuffers, id, fb);
-      _mesa_HashUnlockMutex(ctx->Shared->BufferObjects);
    }
    /* Name doesn't exist */
    else if (!fb) {
-      _mesa_HashLockMutex(ctx->Shared->FrameBuffers);
       fb = ctx->Driver.NewFramebuffer(ctx, id);
       if (!fb) {
-         _mesa_HashUnlockMutex(ctx->Shared->FrameBuffers);
          _mesa_error(ctx, GL_OUT_OF_MEMORY, "%s", func);
          return NULL;
       }
-      _mesa_HashInsertLocked(ctx->Shared->BufferObjects, id, fb);
-      _mesa_HashUnlockMutex(ctx->Shared->BufferObjects);
+      _mesa_HashInsert(ctx->Shared->FrameBuffers, id, fb);
    }
    return fb;
 }
@@ -3042,6 +3037,7 @@ _mesa_bind_framebuffers(struct gl_context *ctx,
       check_begin_texture_render(ctx, newDrawFb);
 
       _mesa_reference_framebuffer(&ctx->DrawBuffer, newDrawFb);
+      _mesa_update_allow_draw_out_of_order(ctx);
    }
 
    if ((bindDrawBuf || bindReadBuf) && ctx->Driver.BindFramebuffer) {
@@ -4763,9 +4759,7 @@ lookup_named_framebuffer_ext_dsa(struct gl_context *ctx, GLuint framebuffer, con
       /* Then, make sure it's initialized */
       if (fb == &DummyFramebuffer) {
          fb = ctx->Driver.NewFramebuffer(ctx, framebuffer);
-         _mesa_HashLockMutex(ctx->Shared->FrameBuffers);
          _mesa_HashInsert(ctx->Shared->FrameBuffers, framebuffer, fb);
-         _mesa_HashUnlockMutex(ctx->Shared->BufferObjects);
       }
    }
    else
@@ -4820,7 +4814,11 @@ _mesa_GetFramebufferParameterivEXT(GLuint framebuffer, GLenum pname,
          *param = fb->ColorReadBuffer;
       }
       else if (GL_DRAW_BUFFER0 <= pname && pname <= GL_DRAW_BUFFER15) {
-         *param = fb->ColorDrawBuffer[pname - GL_DRAW_BUFFER0];
+         unsigned buffer = pname - GL_DRAW_BUFFER0;
+         if (buffer < ARRAY_SIZE(fb->ColorDrawBuffer))
+            *param = fb->ColorDrawBuffer[buffer];
+         else
+            _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)");
       }
       else {
          _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)");
@@ -5070,9 +5068,10 @@ discard_framebuffer(struct gl_context *ctx, struct gl_framebuffer *fb,
                                 GL_STENCIL_ATTACHMENT : GL_DEPTH_ATTACHMENT);
          bool has_both = false;
          for (int j = 0; j < numAttachments; j++) {
-            if (attachments[j] == other_format)
+            if (attachments[j] == other_format) {
                has_both = true;
-            break;
+               break;
+            }
          }
 
          if (fb->Attachment[BUFFER_DEPTH].Renderbuffer !=
@@ -5343,7 +5342,7 @@ sample_locations(struct gl_context *ctx, struct gl_framebuffer *fb,
       if (isnan(v[i]))
          fb->SampleLocationTable[start * 2 + i] = 0.5f;
       else
-         fb->SampleLocationTable[start * 2 + i] = CLAMP(v[i], 0.0f, 1.0f);
+         fb->SampleLocationTable[start * 2 + i] = SATURATE(v[i]);
    }
 
    if (fb == ctx->DrawBuffer)