[Mesa-dev] [PATCH] Gallium: fix buffer overflow

Fri Jul 1 06:12:39 PDT 2011

Indeed. This was copied from the indices version of the function, altough
that version seems to do some more work to find out the true_index. The
patch as it is fixes a crash when selecting objects in blender though.
Please verify to make sure it's doing everything correctly since I'm still
far from being comfortable with the codebase.

On Fri, Jul 1, 2011 at 1:57 PM, Jose Fonseca <jfonseca at vmware.com> wrote:

> I recall seeing this issue before, and I though we had fixed it by ensure
> the vertices are always padded to be multiple of four.. but I suspect it may
> have been for fetching indices, and not actual vertices.
>
> So it looks good, but let me investigate a bit more.
>
> Jose
>
> ----- Original Message -----
> > This looks good to me -- Jose?
> >
> > Keith
> >
> > On Thu, 2011-06-30 at 03:33 +0100, Micael Dias wrote:
> > > ---
> > >  src/gallium/auxiliary/draw/draw_llvm.c |   12 ++++++++++++
> > >  1 files changed, 12 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/src/gallium/auxiliary/draw/draw_llvm.c
> > > b/src/gallium/auxiliary/draw/draw_llvm.c
> > > index 56c26f5..19134f3 100644
> > > --- a/src/gallium/auxiliary/draw/draw_llvm.c
> > > +++ b/src/gallium/auxiliary/draw/draw_llvm.c
> > > @@ -1163,6 +1163,7 @@ draw_llvm_generate(struct draw_llvm *llvm,
> > > struct draw_llvm_variant *variant)
> > >     struct lp_build_loop_state lp_loop;
> > >     const int max_vertices = 4;
> > >     LLVMValueRef outputs[PIPE_MAX_SHADER_OUTPUTS][NUM_CHANNELS];
> > > +   LLVMValueRef fetch_max;
> > >     void *code;
> > >     struct lp_build_sampler_soa *sampler = 0;
> > >     LLVMValueRef ret, ret_ptr;
> > > @@ -1234,6 +1235,10 @@ draw_llvm_generate(struct draw_llvm *llvm,
> > > struct draw_llvm_variant *variant)
> > >        draw_llvm_variant_key_samplers(&variant->key),
> > >        context_ptr);
> > >
> > > +   fetch_max = LLVMBuildSub(builder, count,
> > > +                            lp_build_const_int32(gallivm, 1),
> > > +                            "fetch_max");
> > > +
> > >  #if DEBUG_STORE
> > >     lp_build_printf(builder, "start = %d, end = %d, step = %d\n",
> > >                     start, end, step);
> > > @@ -1257,6 +1262,13 @@ draw_llvm_generate(struct draw_llvm *llvm,
> > > struct draw_llvm_variant *variant)
> > >              builder,
> > >              lp_loop.counter,
> > >              lp_build_const_int32(gallivm, i), "");
> > > +         LLVMValueRef fetch_ptr;
> > > +
> > > +         /* make sure we're not out of bounds which can happen
> > > +          * if fetch_count % 4 != 0, because on the last iteration
> > > +          * a few of the 4 vertex fetches will be out of bounds */
> > > +         true_index = lp_build_min(&bld, true_index, fetch_max);
> > > +
> > >           for (j = 0; j < draw->pt.nr_vertex_elements; ++j) {
> > >              struct pipe_vertex_element *velem =
> > >              &draw->pt.vertex_element[j];
> > >              LLVMValueRef vb_index = lp_build_const_int32(gallivm,
> > >              velem->vertex_buffer_index);
> >
> >
> >
>

-- 
Micael Dias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20110701/7de6d115/attachment-0001.html>