Mesa (master): Gallium: fix buffer overflow

Fri Jul 1 17:18:03 UTC 2011

Module: Mesa
Branch: master
Commit: 7d39ff44a2256a08fac725ae0ee8a4475fbf9de5
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=7d39ff44a2256a08fac725ae0ee8a4475fbf9de5

Author: Micael Dias <kam1kaz3 at gmail.com>
Date:   Thu Jun 30 03:33:47 2011 +0100

Gallium: fix buffer overflow

Signed-off-by: José Fonseca <jfonseca at vmware.com>

---

 src/gallium/auxiliary/draw/draw_llvm.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/src/gallium/auxiliary/draw/draw_llvm.c b/src/gallium/auxiliary/draw/draw_llvm.c
index 56c26f5..f33c907 100644
--- a/src/gallium/auxiliary/draw/draw_llvm.c
+++ b/src/gallium/auxiliary/draw/draw_llvm.c
@@ -1163,6 +1163,7 @@ draw_llvm_generate(struct draw_llvm *llvm, struct draw_llvm_variant *variant)
    struct lp_build_loop_state lp_loop;
    const int max_vertices = 4;
    LLVMValueRef outputs[PIPE_MAX_SHADER_OUTPUTS][NUM_CHANNELS];
+   LLVMValueRef fetch_max;
    void *code;
    struct lp_build_sampler_soa *sampler = 0;
    LLVMValueRef ret, ret_ptr;
@@ -1234,6 +1235,10 @@ draw_llvm_generate(struct draw_llvm *llvm, struct draw_llvm_variant *variant)
       draw_llvm_variant_key_samplers(&variant->key),
       context_ptr);
 
+   fetch_max = LLVMBuildSub(builder, count,
+                            lp_build_const_int32(gallivm, 1),
+                            "fetch_max");
+
 #if DEBUG_STORE
    lp_build_printf(builder, "start = %d, end = %d, step = %d\n",
                    start, end, step);
@@ -1257,6 +1262,12 @@ draw_llvm_generate(struct draw_llvm *llvm, struct draw_llvm_variant *variant)
             builder,
             lp_loop.counter,
             lp_build_const_int32(gallivm, i), "");
+
+         /* make sure we're not out of bounds which can happen
+          * if fetch_count % 4 != 0, because on the last iteration
+          * a few of the 4 vertex fetches will be out of bounds */
+         true_index = lp_build_min(&bld, true_index, fetch_max);
+
          for (j = 0; j < draw->pt.nr_vertex_elements; ++j) {
             struct pipe_vertex_element *velem = &draw->pt.vertex_element[j];
             LLVMValueRef vb_index = lp_build_const_int32(gallivm, velem->vertex_buffer_index);


