[Mesa-dev] Bogus bounds checking in api_validate.c?

Ian Romanick idr at freedesktop.org
Thu Nov 6 20:09:18 PST 2014

While working on some other things, I came across some bounds checking
code in _mesa_validate_DrawElements (and related functions) in

      /* use indices in the buffer object */
      /* make sure count doesn't go outside buffer bounds */
      if (index_bytes(type, count) > ctx->Array.VAO->IndexBufferObj->Size) {
         _mesa_warning(ctx, "glDrawElements index out of buffer bounds");
         return GL_FALSE;

index_bytes calculates how many bytes of data "count" indices will
occupy based on the type.  The problem is that this doesn't consider
the base pointer.  As far as I can tell, if I had a 64 byte buffer
object for my index data, and I did

    glDrawElements(GL_POINTS, 16, GL_UNSIGNED_INT, 60);

_mesa_validate_DrawElements would say, "Ok!"

Am I missing something, or is this just broken?

More information about the mesa-dev mailing list