[Mesa-dev] [PATCH] Gallium: fix buffer overflow
Jose Fonseca
jfonseca at vmware.com
Fri Jul 1 10:57:57 PDT 2011
Looks fine. Commited. Thanks.
Jose
----- Original Message -----
> Indeed. This was copied from the indices version of the function,
> altough that version seems to do some more work to find out the
> true_index. The patch as it is fixes a crash when selecting objects
> in blender though.
> Please verify to make sure it's doing everything correctly since I'm
> still far from being comfortable with the codebase.
> On Fri, Jul 1, 2011 at 1:57 PM, Jose Fonseca < jfonseca at vmware.com >
> wrote:
> > I recall seeing this issue before, and I though we had fixed it by
> > ensure the vertices are always padded to be multiple of four.. but
> > I
> > suspect it may have been for fetching indices, and not actual
> > vertices.
>
> > So it looks good, but let me investigate a bit more.
>
> > Jose
>
> > ----- Original Message -----
>
> > > This looks good to me -- Jose?
>
> > >
>
> > > Keith
>
> > >
>
> > > On Thu, 2011-06-30 at 03:33 +0100, Micael Dias wrote:
>
> > > > ---
>
> > > > src/gallium/auxiliary/draw/draw_llvm.c | 12 ++++++++++++
>
> > > > 1 files changed, 12 insertions(+), 0 deletions(-)
>
> > > >
>
> > > > diff --git a/src/gallium/auxiliary/draw/draw_llvm.c
>
> > > > b/src/gallium/auxiliary/draw/draw_llvm.c
>
> > > > index 56c26f5..19134f3 100644
>
> > > > --- a/src/gallium/auxiliary/draw/draw_llvm.c
>
> > > > +++ b/src/gallium/auxiliary/draw/draw_llvm.c
>
> > > > @@ -1163,6 +1163,7 @@ draw_llvm_generate(struct draw_llvm
> > > > *llvm,
>
> > > > struct draw_llvm_variant *variant)
>
> > > > struct lp_build_loop_state lp_loop;
>
> > > > const int max_vertices = 4;
>
> > > > LLVMValueRef outputs[PIPE_MAX_SHADER_OUTPUTS][NUM_CHANNELS];
>
> > > > + LLVMValueRef fetch_max;
>
> > > > void *code;
>
> > > > struct lp_build_sampler_soa *sampler = 0;
>
> > > > LLVMValueRef ret, ret_ptr;
>
> > > > @@ -1234,6 +1235,10 @@ draw_llvm_generate(struct draw_llvm
> > > > *llvm,
>
> > > > struct draw_llvm_variant *variant)
>
> > > > draw_llvm_variant_key_samplers(&variant->key),
>
> > > > context_ptr);
>
> > > >
>
> > > > + fetch_max = LLVMBuildSub(builder, count,
>
> > > > + lp_build_const_int32(gallivm, 1),
>
> > > > + "fetch_max");
>
> > > > +
>
> > > > #if DEBUG_STORE
>
> > > > lp_build_printf(builder, "start = %d, end = %d, step = %d\n",
>
> > > > start, end, step);
>
> > > > @@ -1257,6 +1262,13 @@ draw_llvm_generate(struct draw_llvm
> > > > *llvm,
>
> > > > struct draw_llvm_variant *variant)
>
> > > > builder,
>
> > > > lp_loop.counter,
>
> > > > lp_build_const_int32(gallivm, i), "");
>
> > > > + LLVMValueRef fetch_ptr;
>
> > > > +
>
> > > > + /* make sure we're not out of bounds which can happen
>
> > > > + * if fetch_count % 4 != 0, because on the last iteration
>
> > > > + * a few of the 4 vertex fetches will be out of bounds */
>
> > > > + true_index = lp_build_min(&bld, true_index, fetch_max);
>
> > > > +
>
> > > > for (j = 0; j < draw->pt.nr_vertex_elements; ++j) {
>
> > > > struct pipe_vertex_element *velem =
>
> > > > &draw->pt.vertex_element[j];
>
> > > > LLVMValueRef vb_index = lp_build_const_int32(gallivm,
>
> > > > velem->vertex_buffer_index);
>
> > >
>
> > >
>
> > >
>
> --
> Micael Dias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20110701/44d81d3a/attachment.htm>
More information about the mesa-dev
mailing list