Mesa (7.9): draw: Prevent clipped vertices overflow.

[Jose Fonseca]

Module: Mesa
Branch: 7.9
Commit: 7f95c59509a6e28bde2c8ec7c880505a63c9ee56
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=7f95c59509a6e28bde2c8ec7c880505a63c9ee56

Author: José Fonseca <jfonseca at vmware.com>
Date:   Thu Aug 26 15:30:51 2010 +0100

draw: Prevent clipped vertices overflow.

Some pathological triangles cause a theoritically impossible number of
clipped vertices.

The clipper will still assert, but at least release builds will not
crash, while this problem is further investigated.

---

 src/gallium/auxiliary/draw/draw_pipe_clip.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)

diff --git a/src/gallium/auxiliary/draw/draw_pipe_clip.c b/src/gallium/auxiliary/draw/draw_pipe_clip.c
index 50acc6c..a10d8e9 100644
--- a/src/gallium/auxiliary/draw/draw_pipe_clip.c
+++ b/src/gallium/auxiliary/draw/draw_pipe_clip.c
@@ -263,6 +263,8 @@ do_clip_tri( struct draw_stage *stage,
       clipmask &= ~(1<<plane_idx);
 
       assert(n < MAX_CLIPPED_VERTICES);
+      if (n >= MAX_CLIPPED_VERTICES)
+         return;
       inlist[n] = inlist[0]; /* prevent rotation of vertices */
 
       for (i = 1; i <= n; i++) {
@@ -272,16 +274,22 @@ do_clip_tri( struct draw_stage *stage,
 
 	 if (!IS_NEGATIVE(dp_prev)) {
             assert(outcount < MAX_CLIPPED_VERTICES);
+            if (outcount >= MAX_CLIPPED_VERTICES)
+               return;
 	    outlist[outcount++] = vert_prev;
 	 }
 
 	 if (DIFFERENT_SIGNS(dp, dp_prev)) {
 	    struct vertex_header *new_vert;
 
-            assert(tmpnr < MAX_CLIPPED_VERTICES+1);
+            assert(tmpnr < MAX_CLIPPED_VERTICES + 1);
+            if (tmpnr >= MAX_CLIPPED_VERTICES + 1)
+               return;
             new_vert = clipper->stage.tmp[tmpnr++];
 
             assert(outcount < MAX_CLIPPED_VERTICES);
+            if (outcount >= MAX_CLIPPED_VERTICES)
+               return;
 	    outlist[outcount++] = new_vert;
 
 	    if (IS_NEGATIVE(dp)) {
@@ -326,6 +334,8 @@ do_clip_tri( struct draw_stage *stage,
          if (stage->draw->rasterizer->flatshade_first) {
             if (inlist[0] != header->v[0]) {
                assert(tmpnr < MAX_CLIPPED_VERTICES + 1);
+               if (tmpnr >= MAX_CLIPPED_VERTICES + 1)
+                  return;
                inlist[0] = dup_vert(stage, inlist[0], tmpnr++);
                copy_colors(stage, inlist[0], header->v[0]);
             }
@@ -333,6 +343,8 @@ do_clip_tri( struct draw_stage *stage,
          else {
             if (inlist[0] != header->v[2]) {
                assert(tmpnr < MAX_CLIPPED_VERTICES + 1);
+               if (tmpnr >= MAX_CLIPPED_VERTICES + 1)
+                  return;
                inlist[0] = dup_vert(stage, inlist[0], tmpnr++);
                copy_colors(stage, inlist[0], header->v[2]);
             }