diff options
| author | José Fonseca <[email protected]> | 2010-08-26 15:30:51 +0100 |
|---|---|---|
| committer | José Fonseca <[email protected]> | 2010-09-23 16:48:59 +0100 |
| commit | 7f95c59509a6e28bde2c8ec7c880505a63c9ee56 (patch) | |
| tree | 6b37880d15ef3b9a58330b829ffbc028395ffb12 /src | |
| parent | 6f310f379b31be4776e43447bf38416de56e5abb (diff) | |
draw: Prevent clipped vertices overflow.
Some pathological triangles cause a theoritically impossible number of
clipped vertices.
The clipper will still assert, but at least release builds will not
crash, while this problem is further investigated.
Diffstat (limited to 'src')
| -rw-r--r-- | src/gallium/auxiliary/draw/draw_pipe_clip.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/gallium/auxiliary/draw/draw_pipe_clip.c b/src/gallium/auxiliary/draw/draw_pipe_clip.c index 50acc6caedc..a10d8e9edc0 100644 --- a/src/gallium/auxiliary/draw/draw_pipe_clip.c +++ b/src/gallium/auxiliary/draw/draw_pipe_clip.c @@ -263,6 +263,8 @@ do_clip_tri( struct draw_stage *stage, clipmask &= ~(1<<plane_idx); assert(n < MAX_CLIPPED_VERTICES); + if (n >= MAX_CLIPPED_VERTICES) + return; inlist[n] = inlist[0]; /* prevent rotation of vertices */ for (i = 1; i <= n; i++) { @@ -272,16 +274,22 @@ do_clip_tri( struct draw_stage *stage, if (!IS_NEGATIVE(dp_prev)) { assert(outcount < MAX_CLIPPED_VERTICES); + if (outcount >= MAX_CLIPPED_VERTICES) + return; outlist[outcount++] = vert_prev; } if (DIFFERENT_SIGNS(dp, dp_prev)) { struct vertex_header *new_vert; - assert(tmpnr < MAX_CLIPPED_VERTICES+1); + assert(tmpnr < MAX_CLIPPED_VERTICES + 1); + if (tmpnr >= MAX_CLIPPED_VERTICES + 1) + return; new_vert = clipper->stage.tmp[tmpnr++]; assert(outcount < MAX_CLIPPED_VERTICES); + if (outcount >= MAX_CLIPPED_VERTICES) + return; outlist[outcount++] = new_vert; if (IS_NEGATIVE(dp)) { @@ -326,6 +334,8 @@ do_clip_tri( struct draw_stage *stage, if (stage->draw->rasterizer->flatshade_first) { if (inlist[0] != header->v[0]) { assert(tmpnr < MAX_CLIPPED_VERTICES + 1); + if (tmpnr >= MAX_CLIPPED_VERTICES + 1) + return; inlist[0] = dup_vert(stage, inlist[0], tmpnr++); copy_colors(stage, inlist[0], header->v[0]); } @@ -333,6 +343,8 @@ do_clip_tri( struct draw_stage *stage, else { if (inlist[0] != header->v[2]) { assert(tmpnr < MAX_CLIPPED_VERTICES + 1); + if (tmpnr >= MAX_CLIPPED_VERTICES + 1) + return; inlist[0] = dup_vert(stage, inlist[0], tmpnr++); copy_colors(stage, inlist[0], header->v[2]); } |