[Mesa-dev] [PATCH 02/21] mesa: Check index buffer offset in DrawElements
Brian Paul
brianp at vmware.com
Mon Jun 11 07:43:57 PDT 2012
On 06/11/2012 12:59 AM, Pauli Nieminen wrote:
> DrawElements checks for cound beeing larger than index buffer object.
"count being"
> But application can specify offset to buffer leading to buffer overflow
> again. ARB_vertex_buffer_object leaves the case undefined but allows
> program termination.
>
> But indirect glx needs to check to avoid crashing X.
>
> " What happens when an attempt is made to access data outside the
> bounds of the buffer object with a command that dereferences the
> arrays?
>
> RESOLVED: ALLOW PROGRAM TERMINATION. In the event of a
> software fallback, bounds checking can become impractical. Since
> applications don't know the actual address of the buffer object
> and only provide an offset, they can't ever guarantee that
> out-of-bounds offsets will fall on valid memory. So it's hard to
> do any better than this."
>
> Signed-off-by: Pauli Nieminen<pauli.nieminen at linux.intel.com>
> ---
> src/mesa/main/api_validate.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c
> index 02495a1..4382dc9 100644
> --- a/src/mesa/main/api_validate.c
> +++ b/src/mesa/main/api_validate.c
> @@ -299,7 +299,8 @@ _mesa_validate_DrawElements(struct gl_context *ctx,
> if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
> /* use indices in the buffer object */
> /* make sure count doesn't go outside buffer bounds */
> - if (index_bytes(type, count)> ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
> + if (index_bytes(type, count) + (GLsizei)indices>
> + ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
> _mesa_warning(ctx, "glDrawElements index out of buffer bounds");
> return GL_FALSE;
> }
Reviewed-by: Brian Paul <brianp at vmware.com>
More information about the mesa-dev
mailing list