[Mesa-stable] [PATCH 1/2] st/mesa: don't cast the incomplete framebufer to st_framebuffer

[Nicolai Hähnle]

From: Nicolai Hähnle <nicolai.haehnle at amd.com>

The incomplete framebuffer is set for a surfaceless context. This leads to
the following error in piglit spec at egl_khr_surfaceless_context@viewport:

==26703==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6886e43240 at pc 0x7f68854db0fd bp 0x7ffca404b3b0 sp 0x7ffca404b3a0
READ of size 8 at 0x7f6886e43240 thread T0
    #0 0x7f68854db0fc in st_viewport ../../../mesa-src/src/mesa/state_tracker/st_cb_viewport.c:57
    #1 0x556840176cdb in main tests/egl/spec/egl_khr_surfaceless_context/viewport.c:101
    #2 0x7f688edcf3f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
    #3 0x556840176e19 in _start (/home/nha/amd/piglit/bin/egl-surfaceless-context-viewport+0xe19)

0x7f6886e43240 is located 32 bytes to the left of global variable 'DummyRenderbuffer' defined in '../../../mesa-src/src/mesa/main/fbobject.c:69:31' (0x7f6886e43260) of size 112
0x7f6886e43240 is located 8 bytes to the right of global variable 'IncompleteFramebuffer' defined in '../../../mesa-src/src/mesa/main/fbobject.c:73:30' (0x7f6886e42de0) of size 1112
SUMMARY: AddressSanitizer: global-buffer-overflow ../../../mesa-src/src/mesa/state_tracker/st_cb_viewport.c:57 in st_viewport

Cc: mesa-stable at lists.freedesktop.org
---
 src/mesa/state_tracker/st_cb_fbo.h  | 3 ++-
 src/mesa/state_tracker/st_manager.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/mesa/state_tracker/st_cb_fbo.h b/src/mesa/state_tracker/st_cb_fbo.h
index d3e0554..351fb9a 100644
--- a/src/mesa/state_tracker/st_cb_fbo.h
+++ b/src/mesa/state_tracker/st_cb_fbo.h
@@ -78,21 +78,22 @@ st_renderbuffer(struct gl_renderbuffer *rb)
 /**
  * Cast wrapper to convert a struct gl_framebuffer to an st_framebuffer.
  * Return NULL if the struct gl_framebuffer is a user-created framebuffer.
  * We'll only return non-null for window system framebuffers.
  * Note that this function may fail.
  */
 static inline struct st_framebuffer *
 st_ws_framebuffer(struct gl_framebuffer *fb)
 {
    /* FBO cannot be casted.  See st_new_framebuffer */
-   if (fb && _mesa_is_winsys_fbo(fb))
+   if (fb && _mesa_is_winsys_fbo(fb) &&
+       fb != _mesa_get_incomplete_framebuffer())
       return (struct st_framebuffer *) fb;
    return NULL;
 }
 
 
 extern struct gl_renderbuffer *
 st_new_renderbuffer_fb(enum pipe_format format, int samples, boolean sw);
 
 extern void
 st_update_renderbuffer_surface(struct st_context *st,
diff --git a/src/mesa/state_tracker/st_manager.c b/src/mesa/state_tracker/st_manager.c
index 86a82c2..2ba7de6 100644
--- a/src/mesa/state_tracker/st_manager.c
+++ b/src/mesa/state_tracker/st_manager.c
@@ -837,27 +837,28 @@ st_api_destroy(struct st_api *stapi)
 
 /**
  * Flush the front buffer if the current context renders to the front buffer.
  */
 void
 st_manager_flush_frontbuffer(struct st_context *st)
 {
    struct st_framebuffer *stfb = st_ws_framebuffer(st->ctx->DrawBuffer);
    struct st_renderbuffer *strb = NULL;
 
+   assert(st->ctx->DrawBuffer != _mesa_get_incomplete_framebuffer());
+
    if (stfb)
       strb = st_renderbuffer(stfb->Base.Attachment[BUFFER_FRONT_LEFT].Renderbuffer);
    if (!strb)
       return;
 
    /* never a dummy fb */
-   assert(&stfb->Base != _mesa_get_incomplete_framebuffer());
    stfb->iface->flush_front(&st->iface, stfb->iface, ST_ATTACHMENT_FRONT_LEFT);
 }
 
 /**
  * Re-validate the framebuffers.
  */
 void
 st_manager_validate_framebuffers(struct st_context *st)
 {
    struct st_framebuffer *stdraw = st_ws_framebuffer(st->ctx->DrawBuffer);
-- 
2.9.3