[Mesa-dev] [PATCH 05/10] nv50: assert before trying to out-of-bounds access vtxbuf
Ilia Mirkin
imirkin at alum.mit.edu
Thu Jan 16 10:51:32 PST 2014
On Thu, Jan 16, 2014 at 1:44 PM, Emil Velikov <emil.l.velikov at gmail.com> wrote:
> Signed-off-by: Emil Velikov <emil.l.velikov at gmail.com>
> ---
> src/gallium/drivers/nouveau/nv50/nv50_context.c | 2 ++
> src/gallium/drivers/nouveau/nv50/nv50_push.c | 1 +
> src/gallium/drivers/nouveau/nv50/nv50_vbo.c | 12 +++++++++++-
> 3 files changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_context.c b/src/gallium/drivers/nouveau/nv50/nv50_context.c
> index 9ea425e..a4ec93a 100644
> --- a/src/gallium/drivers/nouveau/nv50/nv50_context.c
> +++ b/src/gallium/drivers/nouveau/nv50/nv50_context.c
> @@ -80,6 +80,7 @@ nv50_context_unreference_resources(struct nv50_context *nv50)
>
> util_unreference_framebuffer_state(&nv50->framebuffer);
>
> + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
> for (i = 0; i < nv50->num_vtxbufs; ++i)
> pipe_resource_reference(&nv50->vtxbuf[i].buffer, NULL);
>
> @@ -149,6 +150,7 @@ nv50_invalidate_resource_storage(struct nouveau_context *ctx,
> }
>
> if (res->bind & PIPE_BIND_VERTEX_BUFFER) {
> + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
> for (i = 0; i < nv50->num_vtxbufs; ++i) {
> if (nv50->vtxbuf[i].buffer == res) {
> nv50->dirty |= NV50_NEW_ARRAYS;
> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_push.c b/src/gallium/drivers/nouveau/nv50/nv50_push.c
> index 3e9a409..a3a397c 100644
> --- a/src/gallium/drivers/nouveau/nv50/nv50_push.c
> +++ b/src/gallium/drivers/nouveau/nv50/nv50_push.c
> @@ -219,6 +219,7 @@ nv50_push_vbo(struct nv50_context *nv50, const struct pipe_draw_info *info)
> ctx.packet_vertex_limit = nv50->vertex->packet_vertex_limit;
> ctx.vertex_words = nv50->vertex->vertex_size;
>
> + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
> for (i = 0; i < nv50->num_vtxbufs; ++i) {
> const struct pipe_vertex_buffer *vb = &nv50->vtxbuf[i];
> const uint8_t *data;
> diff --git a/src/gallium/drivers/nouveau/nv50/nv50_vbo.c b/src/gallium/drivers/nouveau/nv50/nv50_vbo.c
> index 947c67d..1dcccfe 100644
> --- a/src/gallium/drivers/nouveau/nv50/nv50_vbo.c
> +++ b/src/gallium/drivers/nouveau/nv50/nv50_vbo.c
> @@ -192,6 +192,7 @@ static INLINE void
> nv50_user_vbuf_range(struct nv50_context *nv50, int vbi,
> uint32_t *base, uint32_t *size)
> {
> + assert(vbi < PIPE_MAX_ATTRIBS);
Also make the parameter a uint?
> if (unlikely(nv50->vertex->instance_bufs & (1 << vbi))) {
> /* TODO: use min and max instance divisor to get a proper range */
> *base = 0;
> @@ -211,6 +212,7 @@ nv50_upload_user_buffers(struct nv50_context *nv50,
> {
> unsigned b;
>
> + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
> for (b = 0; b < nv50->num_vtxbufs; ++b) {
> struct nouveau_bo *bo;
> const struct pipe_vertex_buffer *vb = &nv50->vtxbuf[b];
> @@ -241,9 +243,12 @@ nv50_update_user_vbufs(struct nv50_context *nv50)
> for (i = 0; i < nv50->vertex->num_elements; ++i) {
> struct pipe_vertex_element *ve = &nv50->vertex->element[i].pipe;
> const unsigned b = ve->vertex_buffer_index;
> - struct pipe_vertex_buffer *vb = &nv50->vtxbuf[b];
> + struct pipe_vertex_buffer *vb;
> uint32_t base, size;
>
> + assert(b < PIPE_MAX_ATTRIBS);
> + vb = &nv50->vtxbuf[b];
> +
> if (!(nv50->vbo_user & (1 << b)))
> continue;
>
> @@ -306,6 +311,7 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50)
>
> if (!nv50->vbo_fifo) {
> /* if vertex buffer was written by GPU - flush VBO cache */
> + assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
> for (i = 0; i < nv50->num_vtxbufs; ++i) {
> struct nv04_resource *buf = nv04_resource(nv50->vtxbuf[i].buffer);
> if (buf && buf->status & NOUVEAU_BUFFER_STATUS_GPU_WRITING) {
> @@ -332,6 +338,8 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50)
> }
> for (i = 0; i < vertex->num_elements; ++i) {
> const unsigned b = vertex->element[i].pipe.vertex_buffer_index;
> +
> + assert(b < PIPE_MAX_ATTRIBS);
> ve = &vertex->element[i];
> vb = &nv50->vtxbuf[b];
>
> @@ -360,6 +368,8 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50)
> for (i = 0; i < vertex->num_elements; ++i) {
> uint64_t address, limit;
> const unsigned b = vertex->element[i].pipe.vertex_buffer_index;
> +
> + assert(b < PIPE_MAX_ATTRIBS);
> ve = &vertex->element[i];
> vb = &nv50->vtxbuf[b];
>
> --
> 1.8.5.2
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
More information about the mesa-dev
mailing list