[Mesa-dev] [PATCH 2/2] Check access to vec4_visitor's arrays
Petri Latvala
petri.latvala at intel.com
Fri Nov 8 03:14:49 PST 2013
Protect access to vec4_visitor's uniform_size and uniform_vector_size arrays
by asserting the index used.
Signed-off-by: Petri Latvala <petri.latvala at intel.com>
---
src/mesa/drivers/dri/i965/brw_vec4.cpp | 3 +++
src/mesa/drivers/dri/i965/brw_vec4_visitor.cpp | 6 ++++++
src/mesa/drivers/dri/i965/brw_vec4_vp.cpp | 1 +
3 files changed, 10 insertions(+)
diff --git a/src/mesa/drivers/dri/i965/brw_vec4.cpp b/src/mesa/drivers/dri/i965/brw_vec4.cpp
index 20fbd45..8912198 100644
--- a/src/mesa/drivers/dri/i965/brw_vec4.cpp
+++ b/src/mesa/drivers/dri/i965/brw_vec4.cpp
@@ -372,6 +372,7 @@ vec4_visitor::split_uniform_registers()
}
}
+ assert(this->uniforms < MAX_UNIFORMS * 4);
/* Update that everything is now vector-sized. */
for (int i = 0; i < this->uniforms; i++) {
this->uniform_size[i] = 1;
@@ -409,6 +410,7 @@ vec4_visitor::pack_uniform_registers()
/* Now, figure out a packing of the live uniform vectors into our
* push constants.
*/
+ assert(uniforms < MAX_UNIFORMS * 4);
for (int src = 0; src < uniforms; src++) {
int size = this->uniform_vector_size[src];
@@ -445,6 +447,7 @@ vec4_visitor::pack_uniform_registers()
}
this->uniforms = new_uniform_count;
+ assert(this->uniforms < MAX_UNIFORMS * 4);
/* Now, update the instructions for our repacked uniforms. */
foreach_list(node, &this->instructions) {
diff --git a/src/mesa/drivers/dri/i965/brw_vec4_visitor.cpp b/src/mesa/drivers/dri/i965/brw_vec4_visitor.cpp
index a036e2d..46fd8dc 100644
--- a/src/mesa/drivers/dri/i965/brw_vec4_visitor.cpp
+++ b/src/mesa/drivers/dri/i965/brw_vec4_visitor.cpp
@@ -663,6 +663,7 @@ vec4_visitor::setup_uniform_values(ir_variable *ir)
storage->type->matrix_columns);
for (unsigned s = 0; s < vector_count; s++) {
+ assert(uniforms < MAX_UNIFORMS * 4);
uniform_vector_size[uniforms] = storage->type->vector_elements;
int i;
@@ -686,6 +687,7 @@ vec4_visitor::setup_uniform_clipplane_values()
gl_clip_plane *clip_planes = brw_select_clip_planes(ctx);
for (int i = 0; i < key->nr_userclip_plane_consts; ++i) {
+ assert(this->uniforms < MAX_UNIFORMS * 4);
this->uniform_vector_size[this->uniforms] = 4;
this->userplane[i] = dst_reg(UNIFORM, this->uniforms);
this->userplane[i].type = BRW_REGISTER_TYPE_F;
@@ -716,6 +718,7 @@ vec4_visitor::setup_builtin_uniform_values(ir_variable *ir)
(gl_state_index *)slots[i].tokens);
float *values = &this->prog->Parameters->ParameterValues[index][0].f;
+ assert(this->uniforms < MAX_UNIFORMS * 4);
this->uniform_vector_size[this->uniforms] = 0;
/* Add each of the unique swizzled channels of the element.
* This will end up matching the size of the glsl_type of this field.
@@ -726,6 +729,7 @@ vec4_visitor::setup_builtin_uniform_values(ir_variable *ir)
last_swiz = swiz;
prog_data->param[this->uniforms * 4 + j] = &values[swiz];
+ assert(this->uniforms < MAX_UNIFORMS * 4);
if (swiz <= last_swiz)
this->uniform_vector_size[this->uniforms]++;
}
@@ -984,6 +988,7 @@ vec4_visitor::visit(ir_variable *ir)
/* Track how big the whole uniform variable is, in case we need to put a
* copy of its data into pull constants for array access.
*/
+ assert(this->uniforms < MAX_UNIFORMS * 4);
this->uniform_size[this->uniforms] = type_size(ir->type);
if (!strncmp(ir->name, "gl_", 3)) {
@@ -3198,6 +3203,7 @@ vec4_visitor::move_uniform_array_access_to_pull_constants()
pull_constant_loc[uniform] = prog_data->nr_pull_params / 4;
+ assert(uniform < MAX_UNIFORMS * 4);
for (int j = 0; j < uniform_size[uniform] * 4; j++) {
prog_data->pull_param[prog_data->nr_pull_params++]
= values[j];
diff --git a/src/mesa/drivers/dri/i965/brw_vec4_vp.cpp b/src/mesa/drivers/dri/i965/brw_vec4_vp.cpp
index 1f3d75c..bb31e93 100644
--- a/src/mesa/drivers/dri/i965/brw_vec4_vp.cpp
+++ b/src/mesa/drivers/dri/i965/brw_vec4_vp.cpp
@@ -443,6 +443,7 @@ vec4_vs_visitor::setup_vp_regs()
*/
assert(components <= 4);
+ assert(this->uniforms < MAX_UNIFORMS * 4);
this->uniform_size[this->uniforms] = 1; /* 1 vec4 */
this->uniform_vector_size[this->uniforms] = components;
for (unsigned i = 0; i < 4; i++) {
--
1.8.4.rc3
More information about the mesa-dev
mailing list