[Mesa-dev] [PATCH] translate: fix buffer overflows
Jose Fonseca
jfonseca at vmware.com
Tue Mar 4 04:17:42 PST 2014
Looks good.
Adding a few assertions before dereferencing these arrays might come handy in the future.
Jose
----- Original Message -----
> Because in draw we always inject position at slot 0 whenever
> fragment shader would take the maximum number of inputs (32) it
> meant that we had PIPE_MAX_ATTRIBS + 1 slots to translate, which
> meant that we were crashing with fragment shaders that took
> the maximum number of attributes as inputs. The actual max number
> of attributes we need to translate thus is PIPE_MAX_ATTRIBS + 1.
> ---
> src/gallium/auxiliary/translate/translate_generic.c | 2 +-
> src/gallium/auxiliary/translate/translate_sse.c | 6 +++---
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/src/gallium/auxiliary/translate/translate_generic.c
> b/src/gallium/auxiliary/translate/translate_generic.c
> index 5ffce32..82b4d00 100644
> --- a/src/gallium/auxiliary/translate/translate_generic.c
> +++ b/src/gallium/auxiliary/translate/translate_generic.c
> @@ -73,7 +73,7 @@ struct translate_generic {
> */
> int copy_size;
>
> - } attrib[PIPE_MAX_ATTRIBS];
> + } attrib[PIPE_MAX_ATTRIBS + 1];
>
> unsigned nr_attrib;
> };
> diff --git a/src/gallium/auxiliary/translate/translate_sse.c
> b/src/gallium/auxiliary/translate/translate_sse.c
> index b6bc222..1833d8a 100644
> --- a/src/gallium/auxiliary/translate/translate_sse.c
> +++ b/src/gallium/auxiliary/translate/translate_sse.c
> @@ -104,15 +104,15 @@ struct translate_sse
> int8_t reg_to_const[16];
> int8_t const_to_reg[NUM_CONSTS];
>
> - struct translate_buffer buffer[PIPE_MAX_ATTRIBS];
> + struct translate_buffer buffer[PIPE_MAX_ATTRIBS + 1];
> unsigned nr_buffers;
>
> /* Multiple buffer variants can map to a single buffer. */
> - struct translate_buffer_variant buffer_variant[PIPE_MAX_ATTRIBS];
> + struct translate_buffer_variant buffer_variant[PIPE_MAX_ATTRIBS + 1];
> unsigned nr_buffer_variants;
>
> /* Multiple elements can map to a single buffer variant. */
> - unsigned element_to_buffer_variant[PIPE_MAX_ATTRIBS];
> + unsigned element_to_buffer_variant[PIPE_MAX_ATTRIBS + 1];
>
> boolean use_instancing;
> unsigned instance_id;
> --
> 1.9.0
>
More information about the mesa-dev
mailing list