[Mesa-dev] [PATCH] draw: avoid buffer overflows with bad geometry programs.

Tue Jun 10 17:48:32 PDT 2014

To be honest I still don't like it. While the tgsi_exec specific paths in draw_gs don't matter to me and can be as ugly as they need to be, they can't be polluting the draw_pt_emit code, in other words the primitive_lengths can't be bogus at that point - prim_info can't lie about the amount of data that it's holding.

z

----- Original Message -----
> From: Dave Airlie <airlied at redhat.com>
> 
> One of the mismatched tests have a max output vertices of 3,
> but emits 6 vertices, this means the output buffer is undersized
> and causes problems down the line, so limit things later if we
> have a number of vertices lower than the number required to execute
> a primitive.
> 
> Signed-off-by: Dave Airlie <airlied at redhat.com>
> ---
>  src/gallium/auxiliary/draw/draw_gs.c      | 4 ++--
>  src/gallium/auxiliary/draw/draw_pt_emit.c | 8 +++++++-
>  2 files changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/src/gallium/auxiliary/draw/draw_gs.c
> b/src/gallium/auxiliary/draw/draw_gs.c
> index fc4f697..d07e88f 100644
> --- a/src/gallium/auxiliary/draw/draw_gs.c
> +++ b/src/gallium/auxiliary/draw/draw_gs.c
> @@ -92,8 +92,8 @@ tgsi_fetch_gs_outputs(struct draw_geometry_shader *shader,
>        unsigned num_verts_per_prim = machine->Primitives[prim_idx];
>        shader->primitive_lengths[prim_idx +   shader->emitted_primitives] =
>           machine->Primitives[prim_idx];
> -      shader->emitted_vertices += num_verts_per_prim;
> -      for (j = 0; j < num_verts_per_prim; j++, current_idx++) {
> +      shader->emitted_vertices += MIN2(num_verts_per_prim,
> shader->max_output_vertices);
> +      for (j = 0; j < MIN2(num_verts_per_prim, shader->max_output_vertices);
> j++, current_idx++) {
>           int idx = current_idx * shader->info.num_outputs;
>  #ifdef DEBUG_OUTPUTS
>           debug_printf("%d) Output vert:\n", idx / shader->info.num_outputs);
> diff --git a/src/gallium/auxiliary/draw/draw_pt_emit.c
> b/src/gallium/auxiliary/draw/draw_pt_emit.c
> index 011efe7..d8e2809 100644
> --- a/src/gallium/auxiliary/draw/draw_pt_emit.c
> +++ b/src/gallium/auxiliary/draw/draw_pt_emit.c
> @@ -26,6 +26,7 @@
>   **************************************************************************/
>  
>  #include "util/u_memory.h"
> +#include "util/u_math.h"
>  #include "draw/draw_context.h"
>  #include "draw/draw_private.h"
>  #include "draw/draw_vbuf.h"
> @@ -255,9 +256,14 @@ draw_pt_emit_linear(struct pt_emit *emit,
>          i < prim_info->primitive_count;
>          start += prim_info->primitive_lengths[i], i++)
>     {
> +      int len;
> +      if (start > count)
> +         continue;
> +      len = MIN2(prim_info->primitive_lengths[i], count);
>        render->draw_arrays(render,
>                            start,
> -                          prim_info->primitive_lengths[i]);
> +                          len);
> +
>     }
>     
>     render->release_vertices(render);
> --
> 1.9.3
> 
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
> 