[Mesa-dev] [RFC PATCH] translate: deal with size overflows by casting to ptrdiff_t

[Ilia Mirkin]

This was discovered as a result of the draw-elements-base-vertex-neg
piglit test, which passes very negative offsets in, followed up by large
indices. The nouveau code correctly adjusts the pointer, but the
translate code needs to do the proper inverse correction.

Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
---

So... unfortunately the SSE impl has this same issue, and it's not as clear
how to fix it up since it appears to only deal with 32-bit quantities? This is
fine for 32-bit code, but tricky for computing an offset into a 64-bit
pointer. Advice?

Basically the situation is that input_stride = 8, and index = 552655421 which
overflows a 32-bit integer. And since this is a user-supplied buffer, we can't
fix the offsets without rewriting the data.

 src/gallium/auxiliary/translate/translate_generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gallium/auxiliary/translate/translate_generic.c b/src/gallium/auxiliary/translate/translate_generic.c
index 5bf97db..5ffce32 100644
--- a/src/gallium/auxiliary/translate/translate_generic.c
+++ b/src/gallium/auxiliary/translate/translate_generic.c
@@ -638,7 +638,7 @@ static ALWAYS_INLINE void PIPE_CDECL generic_run_one( struct translate_generic *
          }
 
          src = tg->attrib[attr].input_ptr +
-               tg->attrib[attr].input_stride * index;
+               (ptrdiff_t)tg->attrib[attr].input_stride * index;
 
          copy_size = tg->attrib[attr].copy_size;
          if(likely(copy_size >= 0))
-- 
1.8.3.2