diff options
author | José Fonseca <[email protected]> | 2011-03-31 14:40:25 +0100 |
---|---|---|
committer | José Fonseca <[email protected]> | 2011-04-01 20:18:18 +0100 |
commit | 3733da31e8b4405b65e1b6ca3b6599ecc5af5fe7 (patch) | |
tree | 48e13947e294409416ddfa27f0f3458bf8bb54f9 /src/gallium/auxiliary/util/u_draw.c | |
parent | 4a7f013f9db793dab8dbc9f71646dab49f12ed2f (diff) |
draw: Prevent out-of-bounds vertex buffer access.
Based on some code and ideas from Keith Whitwell.
Diffstat (limited to 'src/gallium/auxiliary/util/u_draw.c')
-rw-r--r-- | src/gallium/auxiliary/util/u_draw.c | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/src/gallium/auxiliary/util/u_draw.c b/src/gallium/auxiliary/util/u_draw.c new file mode 100644 index 00000000000..20837be5e59 --- /dev/null +++ b/src/gallium/auxiliary/util/u_draw.c @@ -0,0 +1,99 @@ +/************************************************************************** + * + * Copyright 2011 VMware, Inc. + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sub license, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice (including the + * next paragraph) shall be included in all copies or substantial portions + * of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. + * IN NO EVENT SHALL VMWARE AND/OR ITS SUPPLIERS BE LIABLE FOR + * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + * + **************************************************************************/ + + +#include "util/u_debug.h" +#include "util/u_math.h" +#include "util/u_format.h" +#include "util/u_draw.h" + + +/** + * Returns the largest legal index value for the current set of bound vertex + * buffers. Regardless of any other consideration, all vertex lookups need to + * be clamped to 0..max_index to prevent an out-of-bound access. + */ +unsigned +util_draw_max_index( + const struct pipe_vertex_buffer *vertex_buffers, + unsigned nr_vertex_buffers, + const struct pipe_vertex_element *vertex_elements, + unsigned nr_vertex_elements, + const struct pipe_draw_info *info) +{ + unsigned max_index; + unsigned i; + + max_index = ~0; + for (i = 0; i < nr_vertex_elements; i++) { + const struct pipe_vertex_element *element = + &vertex_elements[i]; + const struct pipe_vertex_buffer *buffer = + &vertex_buffers[element->vertex_buffer_index]; + unsigned buffer_size; + const struct util_format_description *format_desc; + unsigned format_size; + + assert(buffer->buffer->height0 == 1); + assert(buffer->buffer->depth0 == 1); + buffer_size = buffer->buffer->width0; + + format_desc = util_format_description(element->src_format); + assert(format_desc->block.width == 1); + assert(format_desc->block.height == 1); + assert(format_desc->block.bits % 8 == 0); + format_size = format_desc->block.bits/8; + + assert(buffer_size - buffer->buffer_offset <= buffer_size); + buffer_size -= buffer->buffer_offset; + + assert(buffer_size - element->src_offset <= buffer_size); + buffer_size -= element->src_offset; + + assert(buffer_size - format_size <= buffer_size); + buffer_size -= format_size; + + if (buffer->stride != 0) { + unsigned buffer_max_index; + + buffer_max_index = buffer_size / buffer->stride; + + if (element->instance_divisor == 0) { + /* Per-vertex data */ + max_index = MIN2(max_index, buffer_max_index); + } + else { + /* Per-instance data. Simply make sure the state tracker didn't + * request more instances than those that fit in the buffer */ + assert((info->start_instance + info->instance_count)/element->instance_divisor + <= (buffer_max_index + 1)); + } + } + } + + return max_index; +} |