[Mesa-dev] [PATCH 03/10] nv50: assert before trying to out-of-bounds access constbuf

Thu Jan 16 10:44:52 PST 2014

Signed-off-by: Emil Velikov <emil.l.velikov at gmail.com>
---
 src/gallium/drivers/nouveau/nv50/nv50_context.c      | 1 +
 src/gallium/drivers/nouveau/nv50/nv50_shader_state.c | 2 ++
 src/gallium/drivers/nouveau/nv50/nv50_state.c        | 1 +
 3 files changed, 4 insertions(+)

diff --git a/src/gallium/drivers/nouveau/nv50/nv50_context.c b/src/gallium/drivers/nouveau/nv50/nv50_context.c
index bd00b50..9ea425e 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_context.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_context.c
@@ -180,6 +180,7 @@ nv50_invalidate_resource_storage(struct nouveau_context *ctx,
 
    if (res->bind & PIPE_BIND_CONSTANT_BUFFER) {
       for (s = 0; s < 3; ++s) {
+      assert(nv50->num_vtxbufs <= NV50_MAX_PIPE_CONSTBUFS);
       for (i = 0; i < nv50->num_vtxbufs; ++i) {
          if (!nv50->constbuf[s][i].user &&
              nv50->constbuf[s][i].u.buf == res) {
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c b/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
index 9144fc4..c44d208 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_shader_state.c
@@ -47,6 +47,8 @@ nv50_constbufs_validate(struct nv50_context *nv50)
 
       while (nv50->constbuf_dirty[s]) {
          const int i = ffs(nv50->constbuf_dirty[s]) - 1;
+
+         assert(i < NV50_MAX_PIPE_CONSTBUFS);
          nv50->constbuf_dirty[s] &= ~(1 << i);
 
          if (nv50->constbuf[s][i].user) {
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_state.c b/src/gallium/drivers/nouveau/nv50/nv50_state.c
index b6a180e..5488cac 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_state.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_state.c
@@ -786,6 +786,7 @@ nv50_set_constant_buffer(struct pipe_context *pipe, uint shader, uint index,
    if (shader == PIPE_SHADER_COMPUTE)
       return;
 
+   assert(i < NV50_MAX_PIPE_CONSTBUFS);
    if (nv50->constbuf[s][i].user)
       nv50->constbuf[s][i].u.buf = NULL;
    else
-- 
1.8.5.2

