nv50: assert before trying to out-of-bounds access vtxbuf

Signed-off-by: Emil Velikov <[email protected]>
Reviewed-by: Ilia Mirkin <[email protected]>

3 files changed, 14 insertions, 1 deletions

diff --git a/src/gallium/drivers/nouveau/nv50/nv50_context.c b/src/gallium/drivers/nouveau/nv50/nv50_context.c
index 9ea425e4c9b..a4ec93a7a08 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_context.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_context.c
@@ -80,6 +80,7 @@ nv50_context_unreference_resources(struct nv50_context *nv50)
 
    util_unreference_framebuffer_state(&nv50->framebuffer);
 
+   assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
    for (i = 0; i < nv50->num_vtxbufs; ++i)
       pipe_resource_reference(&nv50->vtxbuf[i].buffer, NULL);
 
@@ -149,6 +150,7 @@ nv50_invalidate_resource_storage(struct nouveau_context *ctx,
    }
 
    if (res->bind & PIPE_BIND_VERTEX_BUFFER) {
+      assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
       for (i = 0; i < nv50->num_vtxbufs; ++i) {
          if (nv50->vtxbuf[i].buffer == res) {
             nv50->dirty |= NV50_NEW_ARRAYS;
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_push.c b/src/gallium/drivers/nouveau/nv50/nv50_push.c
index 3e9a4096cf0..a3a397c52c1 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_push.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_push.c
@@ -219,6 +219,7 @@ nv50_push_vbo(struct nv50_context *nv50, const struct pipe_draw_info *info)
    ctx.packet_vertex_limit = nv50->vertex->packet_vertex_limit;
    ctx.vertex_words = nv50->vertex->vertex_size;
 
+   assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
    for (i = 0; i < nv50->num_vtxbufs; ++i) {
       const struct pipe_vertex_buffer *vb = &nv50->vtxbuf[i];
       const uint8_t *data;
diff --git a/src/gallium/drivers/nouveau/nv50/nv50_vbo.c b/src/gallium/drivers/nouveau/nv50/nv50_vbo.c
index 947c67d6a75..1dcccfe0806 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_vbo.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_vbo.c
@@ -192,6 +192,7 @@ static INLINE void
 nv50_user_vbuf_range(struct nv50_context *nv50, int vbi,
                      uint32_t *base, uint32_t *size)
 {
+   assert(vbi < PIPE_MAX_ATTRIBS);
    if (unlikely(nv50->vertex->instance_bufs & (1 << vbi))) {
       /* TODO: use min and max instance divisor to get a proper range */
       *base = 0;
@@ -211,6 +212,7 @@ nv50_upload_user_buffers(struct nv50_context *nv50,
 {
    unsigned b;
 
+   assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
    for (b = 0; b < nv50->num_vtxbufs; ++b) {
       struct nouveau_bo *bo;
       const struct pipe_vertex_buffer *vb = &nv50->vtxbuf[b];
@@ -241,9 +243,12 @@ nv50_update_user_vbufs(struct nv50_context *nv50)
    for (i = 0; i < nv50->vertex->num_elements; ++i) {
       struct pipe_vertex_element *ve = &nv50->vertex->element[i].pipe;
       const unsigned b = ve->vertex_buffer_index;
-      struct pipe_vertex_buffer *vb = &nv50->vtxbuf[b];
+      struct pipe_vertex_buffer *vb;
       uint32_t base, size;
 
+      assert(b < PIPE_MAX_ATTRIBS);
+      vb = &nv50->vtxbuf[b];
+
       if (!(nv50->vbo_user & (1 << b)))
          continue;
 
@@ -306,6 +311,7 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50)
 
    if (!nv50->vbo_fifo) {
       /* if vertex buffer was written by GPU - flush VBO cache */
+      assert(nv50->num_vtxbufs <= PIPE_MAX_ATTRIBS);
       for (i = 0; i < nv50->num_vtxbufs; ++i) {
          struct nv04_resource *buf = nv04_resource(nv50->vtxbuf[i].buffer);
          if (buf && buf->status & NOUVEAU_BUFFER_STATUS_GPU_WRITING) {
@@ -332,6 +338,8 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50)
    }
    for (i = 0; i < vertex->num_elements; ++i) {
       const unsigned b = vertex->element[i].pipe.vertex_buffer_index;
+
+      assert(b < PIPE_MAX_ATTRIBS);
       ve = &vertex->element[i];
       vb = &nv50->vtxbuf[b];
 
@@ -360,6 +368,8 @@ nv50_vertex_arrays_validate(struct nv50_context *nv50)
    for (i = 0; i < vertex->num_elements; ++i) {
       uint64_t address, limit;
       const unsigned b = vertex->element[i].pipe.vertex_buffer_index;
+
+      assert(b < PIPE_MAX_ATTRIBS);
       ve = &vertex->element[i];
       vb = &nv50->vtxbuf[b];