summaryrefslogtreecommitdiffstats
path: root/src/mesa/vbo/vbo_exec_draw.c
diff options
context:
space:
mode:
authorBrian Paul <[email protected]>2009-11-04 17:51:21 -0700
committerBrian Paul <[email protected]>2009-11-04 17:51:28 -0700
commit1c3f7ab74ce492d6c92f2e3a0f29957fa9a71d96 (patch)
tree3250818d475862c3427902dfafbcfbd64bd3cf9e /src/mesa/vbo/vbo_exec_draw.c
parentbc4ad7c2ae069a7d361f2210d39dbb91777cce76 (diff)
vbo: fix out-of-bounds array access
The exec->vtx.inputs[] array was being written past its end. This was clobbering the following vbo_exec_context::eval state. Probably not noticed since evaluators and immediate mode rendering don't happen at the same time. Fixed the loop in vbo_exec_vtx_init(). Changed the size of the vbo_exec_context::vtx.arrays[] array. Added a bunch of debug-build assertions. Issue found by Vinson Lee.
Diffstat (limited to 'src/mesa/vbo/vbo_exec_draw.c')
-rw-r--r--src/mesa/vbo/vbo_exec_draw.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/mesa/vbo/vbo_exec_draw.c b/src/mesa/vbo/vbo_exec_draw.c
index 0c258c535e0..f41d6294507 100644
--- a/src/mesa/vbo/vbo_exec_draw.c
+++ b/src/mesa/vbo/vbo_exec_draw.c
@@ -172,6 +172,7 @@ vbo_exec_bind_arrays( GLcontext *ctx )
exec->vtx.inputs[attr] = &vbo->legacy_currval[attr];
}
for (attr = 0; attr < MAT_ATTRIB_MAX; attr++) {
+ ASSERT(attr + 16 < Elements(exec->vtx.inputs));
exec->vtx.inputs[attr + 16] = &vbo->mat_currval[attr];
}
map = vbo->map_vp_none;
@@ -184,6 +185,7 @@ vbo_exec_bind_arrays( GLcontext *ctx )
*/
for (attr = 0; attr < 16; attr++) {
exec->vtx.inputs[attr] = &vbo->legacy_currval[attr];
+ ASSERT(attr + 16 < Elements(exec->vtx.inputs));
exec->vtx.inputs[attr + 16] = &vbo->generic_currval[attr];
}
map = vbo->map_vp_arb;
@@ -212,6 +214,8 @@ vbo_exec_bind_arrays( GLcontext *ctx )
if (exec->vtx.attrsz[src]) {
/* override the default array set above */
+ ASSERT(attr < Elements(exec->vtx.inputs));
+ ASSERT(attr < Elements(exec->vtx.arrays)); /* arrays[] */
exec->vtx.inputs[attr] = &arrays[attr];
if (_mesa_is_bufferobj(exec->vtx.bufferobj)) {