[Mesa-dev] [PATCH 12/21] mesa: Check index buffer offset in DrawElements
Pauli Nieminen
pauli.nieminen at linux.intel.com
Sun Jun 10 23:59:32 PDT 2012
DrawElements checks for cound beeing larger than index buffer object.
But application can specify offset to buffer leading to buffer overflow
again. ARB_vertex_buffer_object leaves the case undefined but allows
program termination.
But if we do check the index buffer size it makes sense to check it
correctly.
" What happens when an attempt is made to access data outside the
bounds of the buffer object with a command that dereferences the
arrays?
RESOLVED: ALLOW PROGRAM TERMINATION. In the event of a
software fallback, bounds checking can become impractical. Since
applications don't know the actual address of the buffer object
and only provide an offset, they can't ever guarantee that
out-of-bounds offsets will fall on valid memory. So it's hard to
do any better than this."
Signed-off-by: Pauli Nieminen <pauli.nieminen at linux.intel.com>
---
src/mesa/main/api_validate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c
index 02495a1..add65f8 100644
--- a/src/mesa/main/api_validate.c
+++ b/src/mesa/main/api_validate.c
@@ -299,7 +299,8 @@ _mesa_validate_DrawElements(struct gl_context *ctx,
if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
/* use indices in the buffer object */
/* make sure count doesn't go outside buffer bounds */
- if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+ if (index_bytes(type, count) + (uintptr_t)indices >
+ ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
_mesa_warning(ctx, "glDrawElements index out of buffer bounds");
return GL_FALSE;
}
--
1.7.9.5
More information about the mesa-dev
mailing list