[Mesa-dev] [PATCH] st/mesa: bound the sampler count before calling into the driver.
Stéphane Marchesin
stephane.marchesin at gmail.com
Sun Mar 10 12:55:16 PDT 2013
On Sat, Mar 9, 2013 at 1:35 PM, Jose Fonseca <jfonseca at vmware.com> wrote:
>
>
> ----- Original Message -----
>> On Sat, Mar 9, 2013 at 12:30 PM, Jose Fonseca <jfonseca at vmware.com> wrote:
>> > Looks a sensible thing to do.
>> >
>> > Reviewed-by: Jose Fonseca <jfonseca at vmware.com>
>> >
>>
>> Thanks for the review.
>>
>> > Any insight how the caller can be fixed so that this doesn't happen?
>>
>> It happens to me when draw stages add more samplers on top of the max
>> samplers from the application.
>
> I see. Maybe it would be safer if draw module just passed things through (and warn) on those circumstances.
I'm really trying to fix a possible security problem here, so a
warning won't do it. All the gallium drivers I looked at will get an
overflow in some way if the state tracker gives you >
PIPE_MAX_SAMPLERS samplers.
> Do real apps stress this, or just tests?
>
Real apps definitely exercise this, but I couldn't tell you which; I
got it in a Chrome OS crash report, and I found it because subsequent
members of the struct get nullified by the aaline draw stage which
leads to crashes.
> Another alternative would be for drivers that always depend on draw to advertise one less stage..
Maybe, but that sounds much less flexible.
Stéphane
More information about the mesa-dev
mailing list