[Mesa-stable] [Mesa-dev] [PATCH 2/2] gallium/vbuf: avoid segfault when we get invalid glDrawRangeElements()

Marek Olšák maraeo at gmail.com
Tue Jun 20 10:40:28 UTC 2017 

For the series:

Reviewed-by: Marek Olšák <marek.olsak at amd.com>

Marek

On Tue, Jun 20, 2017 at 3:50 AM, Brian Paul <brianp at vmware.com> wrote:
> A common user error is to call glDrawRangeElements() with the 'end'
> argument being one too large.  If we use the vbuf module to translate
> some vertex attributes this error can cause us to read past the end of
> the mapped hardware buffer, resulting in a crash.
>
> This patch adjusts the vertex count to avoid that issue.  Typically,
> the vertex_count gets decremented by one.
>
> This fixes crashes with the Unigine Tropics and Sanctuary demos with older
> VMware hardware versions.  The issue isn't hit with VGPU10 because we
> don't hit this fallback.
>
> No piglit changes.
>
> CC: mesa-stable at lists.freedesktop.org
> ---
>  src/gallium/auxiliary/util/u_vbuf.c | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/src/gallium/auxiliary/util/u_vbuf.c b/src/gallium/auxiliary/util/u_vbuf.c
> index b342f34..6dc8bc7 100644
> --- a/src/gallium/auxiliary/util/u_vbuf.c
> +++ b/src/gallium/auxiliary/util/u_vbuf.c
> @@ -416,8 +416,22 @@ u_vbuf_translate_buffers(struct u_vbuf *mgr, struct translate_key *key,
>           unsigned size = vb->stride ? num_vertices * vb->stride
>                                      : sizeof(double)*4;
>
> -         if (offset+size > vb->buffer.resource->width0) {
> +         if (offset + size > vb->buffer.resource->width0) {
> +            /* Don't try to map past end of buffer.  This often happens when
> +             * we're translating an attribute that's at offset > 0 from the
> +             * start of the vertex.  If we'd subtract attrib's offset from
> +             * the size, this probably wouldn't happen.
> +             */
>              size = vb->buffer.resource->width0 - offset;
> +
> +            /* Also adjust num_vertices.  A common user error is to call
> +             * glDrawRangeElements() with incorrect 'end' argument.  The 'end
> +             * value should be the max index value, but people often
> +             * accidentally add one to this value.  This adjustment avoids
> +             * crashing (by reading past the end of a hardware buffer mapping)
> +             * when people do that.
> +             */
> +            num_vertices = (size + vb->stride - 1) / vb->stride;
>           }
>
>           map = pipe_buffer_map_range(mgr->pipe, vb->buffer.resource, offset, size,
> --
> 1.9.1
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev

More information about the mesa-stable mailing list