[Mesa-dev] [PATCH v2 02/21] mesa: Check index buffer offset in DrawElements

Pauli Nieminen pauli.nieminen at linux.intel.com
Tue Jun 12 11:38:42 PDT 2012 

DrawElements checks for count beeing larger than index buffer object.
But application can specify offset to buffer leading to buffer overflow
again. ARB_vertex_buffer_object leaves the case undefined but allows
program termination.

But if we do check the index buffer size it makes sense to check it
correctly.

"   What happens when an attempt is made to access data outside the
    bounds of the buffer object with a command that dereferences the
    arrays?

        RESOLVED: ALLOW PROGRAM TERMINATION.  In the event of a
        software fallback, bounds checking can become impractical. Since
        applications don't know the actual address of the buffer object
        and only provide an offset, they can't ever guarantee that
        out-of-bounds offsets will fall on valid memory.  So it's hard to
        do any better than this."

Signed-off-by: Pauli Nieminen <pauli.nieminen at linux.intel.com>
Reviewed-by: Brian Paul <brianp at vmware.com>
---
 src/mesa/main/api_validate.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c
index 02495a1..d36f6de 100644
--- a/src/mesa/main/api_validate.c
+++ b/src/mesa/main/api_validate.c
@@ -299,7 +299,8 @@ _mesa_validate_DrawElements(struct gl_context *ctx,
    if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
       /* use indices in the buffer object */
       /* make sure count doesn't go outside buffer bounds */
-      if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+      if (index_bytes(type, count) + (GLintptr)indices >
+          ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
          _mesa_warning(ctx, "glDrawElements index out of buffer bounds");
          return GL_FALSE;
       }
@@ -359,7 +360,8 @@ _mesa_validate_DrawRangeElements(struct gl_context *ctx, GLenum mode,
    if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
       /* use indices in the buffer object */
       /* make sure count doesn't go outside buffer bounds */
-      if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+      if (index_bytes(type, count) + (GLintptr)indices >
+          ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
          _mesa_warning(ctx, "glDrawRangeElements index out of buffer bounds");
          return GL_FALSE;
       }
@@ -493,7 +495,8 @@ _mesa_validate_DrawElementsInstanced(struct gl_context *ctx,
    if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
       /* use indices in the buffer object */
       /* make sure count doesn't go outside buffer bounds */
-      if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+      if (index_bytes(type, count) + (GLintptr)indices >
+          ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
          _mesa_warning(ctx,
                        "glDrawElementsInstanced index out of buffer bounds");
          return GL_FALSE;
-- 
1.7.9.5

More information about the mesa-dev mailing list