Mesa (master): vbo: fix out-of-bounds array access
Brian Paul
brianp at kemper.freedesktop.org
Thu Nov 5 00:59:24 UTC 2009
Module: Mesa
Branch: master
Commit: 1c3f7ab74ce492d6c92f2e3a0f29957fa9a71d96
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=1c3f7ab74ce492d6c92f2e3a0f29957fa9a71d96
Author: Brian Paul <brianp at vmware.com>
Date: Wed Nov 4 17:51:21 2009 -0700
vbo: fix out-of-bounds array access
The exec->vtx.inputs[] array was being written past its end. This was
clobbering the following vbo_exec_context::eval state. Probably not noticed
since evaluators and immediate mode rendering don't happen at the same time.
Fixed the loop in vbo_exec_vtx_init().
Changed the size of the vbo_exec_context::vtx.arrays[] array.
Added a bunch of debug-build assertions.
Issue found by Vinson Lee.
---
src/mesa/vbo/vbo_exec.h | 2 +-
src/mesa/vbo/vbo_exec_api.c | 6 ++++++
src/mesa/vbo/vbo_exec_draw.c | 4 ++++
3 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/src/mesa/vbo/vbo_exec.h b/src/mesa/vbo/vbo_exec.h
index e0f4489..7fb5926 100644
--- a/src/mesa/vbo/vbo_exec.h
+++ b/src/mesa/vbo/vbo_exec.h
@@ -103,7 +103,7 @@ struct vbo_exec_context
GLubyte active_sz[VBO_ATTRIB_MAX];
GLfloat *attrptr[VBO_ATTRIB_MAX];
- struct gl_client_array arrays[VBO_ATTRIB_MAX];
+ struct gl_client_array arrays[VERT_ATTRIB_MAX];
/* According to program mode, the values above plus current
* values are squashed down to the 32 attributes passed to the
diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c
index 387d4ee..acc7647 100644
--- a/src/mesa/vbo/vbo_exec_api.c
+++ b/src/mesa/vbo/vbo_exec_api.c
@@ -695,8 +695,14 @@ void vbo_exec_vtx_init( struct vbo_exec_context *exec )
_mesa_install_exec_vtxfmt( exec->ctx, &exec->vtxfmt );
for (i = 0 ; i < VBO_ATTRIB_MAX ; i++) {
+ ASSERT(i < Elements(exec->vtx.attrsz));
exec->vtx.attrsz[i] = 0;
+ ASSERT(i < Elements(exec->vtx.active_sz));
exec->vtx.active_sz[i] = 0;
+ }
+ for (i = 0 ; i < VERT_ATTRIB_MAX; i++) {
+ ASSERT(i < Elements(exec->vtx.inputs));
+ ASSERT(i < Elements(exec->vtx.arrays));
exec->vtx.inputs[i] = &exec->vtx.arrays[i];
}
diff --git a/src/mesa/vbo/vbo_exec_draw.c b/src/mesa/vbo/vbo_exec_draw.c
index 0c258c5..f41d629 100644
--- a/src/mesa/vbo/vbo_exec_draw.c
+++ b/src/mesa/vbo/vbo_exec_draw.c
@@ -172,6 +172,7 @@ vbo_exec_bind_arrays( GLcontext *ctx )
exec->vtx.inputs[attr] = &vbo->legacy_currval[attr];
}
for (attr = 0; attr < MAT_ATTRIB_MAX; attr++) {
+ ASSERT(attr + 16 < Elements(exec->vtx.inputs));
exec->vtx.inputs[attr + 16] = &vbo->mat_currval[attr];
}
map = vbo->map_vp_none;
@@ -184,6 +185,7 @@ vbo_exec_bind_arrays( GLcontext *ctx )
*/
for (attr = 0; attr < 16; attr++) {
exec->vtx.inputs[attr] = &vbo->legacy_currval[attr];
+ ASSERT(attr + 16 < Elements(exec->vtx.inputs));
exec->vtx.inputs[attr + 16] = &vbo->generic_currval[attr];
}
map = vbo->map_vp_arb;
@@ -212,6 +214,8 @@ vbo_exec_bind_arrays( GLcontext *ctx )
if (exec->vtx.attrsz[src]) {
/* override the default array set above */
+ ASSERT(attr < Elements(exec->vtx.inputs));
+ ASSERT(attr < Elements(exec->vtx.arrays)); /* arrays[] */
exec->vtx.inputs[attr] = &arrays[attr];
if (_mesa_is_bufferobj(exec->vtx.bufferobj)) {
More information about the mesa-commit
mailing list