Mesa (master): gallium/vbuf: avoid segfault when we get invalid glDrawRangeElements()

Brian Paul brianp at kemper.freedesktop.org
Tue Jun 20 14:03:13 UTC 2017 

Module: Mesa
Branch: master
Commit: d8148ed10ae5faea6f88f2f964797f4b0590c083
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=d8148ed10ae5faea6f88f2f964797f4b0590c083

Author: Brian Paul <brianp at vmware.com>
Date:   Mon Jun 19 12:22:09 2017 -0600

gallium/vbuf: avoid segfault when we get invalid glDrawRangeElements()

A common user error is to call glDrawRangeElements() with the 'end'
argument being one too large.  If we use the vbuf module to translate
some vertex attributes this error can cause us to read past the end of
the mapped hardware buffer, resulting in a crash.

This patch adjusts the vertex count to avoid that issue.  Typically,
the vertex_count gets decremented by one.

This fixes crashes with the Unigine Tropics and Sanctuary demos with older
VMware hardware versions.  The issue isn't hit with VGPU10 because we
don't hit this fallback.

No piglit changes.

CC: mesa-stable at lists.freedesktop.org
Reviewed-by: Marek Olšák <marek.olsak at amd.com>

---

 src/gallium/auxiliary/util/u_vbuf.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/gallium/auxiliary/util/u_vbuf.c b/src/gallium/auxiliary/util/u_vbuf.c
index b342f342e9..6dc8bc7892 100644
--- a/src/gallium/auxiliary/util/u_vbuf.c
+++ b/src/gallium/auxiliary/util/u_vbuf.c
@@ -416,8 +416,22 @@ u_vbuf_translate_buffers(struct u_vbuf *mgr, struct translate_key *key,
          unsigned size = vb->stride ? num_vertices * vb->stride
                                     : sizeof(double)*4;
 
-         if (offset+size > vb->buffer.resource->width0) {
+         if (offset + size > vb->buffer.resource->width0) {
+            /* Don't try to map past end of buffer.  This often happens when
+             * we're translating an attribute that's at offset > 0 from the
+             * start of the vertex.  If we'd subtract attrib's offset from
+             * the size, this probably wouldn't happen.
+             */
             size = vb->buffer.resource->width0 - offset;
+
+            /* Also adjust num_vertices.  A common user error is to call
+             * glDrawRangeElements() with incorrect 'end' argument.  The 'end
+             * value should be the max index value, but people often
+             * accidentally add one to this value.  This adjustment avoids
+             * crashing (by reading past the end of a hardware buffer mapping)
+             * when people do that.
+             */
+            num_vertices = (size + vb->stride - 1) / vb->stride;
          }
 
          map = pipe_buffer_map_range(mgr->pipe, vb->buffer.resource, offset, size,

More information about the mesa-commit mailing list