[Mesa-dev] [PATCH] draw: avoid buffer overflows with bad geometry programs.

Dave Airlie airlied at gmail.com
Tue Jun 10 17:27:58 PDT 2014 

From: Dave Airlie <airlied at redhat.com>

One of the mismatched tests have a max output vertices of 3,
but emits 6 vertices, this means the output buffer is undersized
and causes problems down the line, so limit things later if we
have a number of vertices lower than the number required to execute
a primitive.

Signed-off-by: Dave Airlie <airlied at redhat.com>
---
 src/gallium/auxiliary/draw/draw_gs.c      | 4 ++--
 src/gallium/auxiliary/draw/draw_pt_emit.c | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/gallium/auxiliary/draw/draw_gs.c b/src/gallium/auxiliary/draw/draw_gs.c
index fc4f697..d07e88f 100644
--- a/src/gallium/auxiliary/draw/draw_gs.c
+++ b/src/gallium/auxiliary/draw/draw_gs.c
@@ -92,8 +92,8 @@ tgsi_fetch_gs_outputs(struct draw_geometry_shader *shader,
       unsigned num_verts_per_prim = machine->Primitives[prim_idx];
       shader->primitive_lengths[prim_idx +   shader->emitted_primitives] =
          machine->Primitives[prim_idx];
-      shader->emitted_vertices += num_verts_per_prim;
-      for (j = 0; j < num_verts_per_prim; j++, current_idx++) {
+      shader->emitted_vertices += MIN2(num_verts_per_prim, shader->max_output_vertices);
+      for (j = 0; j < MIN2(num_verts_per_prim, shader->max_output_vertices); j++, current_idx++) {
          int idx = current_idx * shader->info.num_outputs;
 #ifdef DEBUG_OUTPUTS
          debug_printf("%d) Output vert:\n", idx / shader->info.num_outputs);
diff --git a/src/gallium/auxiliary/draw/draw_pt_emit.c b/src/gallium/auxiliary/draw/draw_pt_emit.c
index 011efe7..d8e2809 100644
--- a/src/gallium/auxiliary/draw/draw_pt_emit.c
+++ b/src/gallium/auxiliary/draw/draw_pt_emit.c
@@ -26,6 +26,7 @@
  **************************************************************************/
 
 #include "util/u_memory.h"
+#include "util/u_math.h"
 #include "draw/draw_context.h"
 #include "draw/draw_private.h"
 #include "draw/draw_vbuf.h"
@@ -255,9 +256,14 @@ draw_pt_emit_linear(struct pt_emit *emit,
         i < prim_info->primitive_count;
         start += prim_info->primitive_lengths[i], i++)
    {
+      int len;
+      if (start > count)
+         continue;
+      len = MIN2(prim_info->primitive_lengths[i], count);
       render->draw_arrays(render,
                           start,
-                          prim_info->primitive_lengths[i]);
+                          len);
+
    }
    
    render->release_vertices(render);
-- 
1.9.3

More information about the mesa-dev mailing list