[Mesa-dev] [PATCH 12/21] mesa: Check index buffer offset in DrawElements

Pauli Nieminen pauli.nieminen at linux.intel.com
Sun Jun 10 23:59:32 PDT 2012


DrawElements checks for cound beeing larger than index buffer object.
But application can specify offset to buffer leading to buffer overflow
again. ARB_vertex_buffer_object leaves the case undefined but allows
program termination.

But if we do check the index buffer size it makes sense to check it
correctly.

"   What happens when an attempt is made to access data outside the
    bounds of the buffer object with a command that dereferences the
    arrays?

        RESOLVED: ALLOW PROGRAM TERMINATION.  In the event of a
        software fallback, bounds checking can become impractical. Since
        applications don't know the actual address of the buffer object
        and only provide an offset, they can't ever guarantee that
        out-of-bounds offsets will fall on valid memory.  So it's hard to
        do any better than this."

Signed-off-by: Pauli Nieminen <pauli.nieminen at linux.intel.com>
---
 src/mesa/main/api_validate.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c
index 02495a1..add65f8 100644
--- a/src/mesa/main/api_validate.c
+++ b/src/mesa/main/api_validate.c
@@ -299,7 +299,8 @@ _mesa_validate_DrawElements(struct gl_context *ctx,
    if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
       /* use indices in the buffer object */
       /* make sure count doesn't go outside buffer bounds */
-      if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+      if (index_bytes(type, count) + (uintptr_t)indices >
+          ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
          _mesa_warning(ctx, "glDrawElements index out of buffer bounds");
          return GL_FALSE;
       }
-- 
1.7.9.5



More information about the mesa-dev mailing list