diff options
author | Brian Paul <[email protected]> | 2009-11-04 17:51:21 -0700 |
---|---|---|
committer | Brian Paul <[email protected]> | 2009-11-04 17:51:28 -0700 |
commit | 1c3f7ab74ce492d6c92f2e3a0f29957fa9a71d96 (patch) | |
tree | 3250818d475862c3427902dfafbcfbd64bd3cf9e /src | |
parent | bc4ad7c2ae069a7d361f2210d39dbb91777cce76 (diff) |
vbo: fix out-of-bounds array access
The exec->vtx.inputs[] array was being written past its end. This was
clobbering the following vbo_exec_context::eval state. Probably not noticed
since evaluators and immediate mode rendering don't happen at the same time.
Fixed the loop in vbo_exec_vtx_init().
Changed the size of the vbo_exec_context::vtx.arrays[] array.
Added a bunch of debug-build assertions.
Issue found by Vinson Lee.
Diffstat (limited to 'src')
-rw-r--r-- | src/mesa/vbo/vbo_exec.h | 2 | ||||
-rw-r--r-- | src/mesa/vbo/vbo_exec_api.c | 6 | ||||
-rw-r--r-- | src/mesa/vbo/vbo_exec_draw.c | 4 |
3 files changed, 11 insertions, 1 deletions
diff --git a/src/mesa/vbo/vbo_exec.h b/src/mesa/vbo/vbo_exec.h index e0f44892cff..7fb59261600 100644 --- a/src/mesa/vbo/vbo_exec.h +++ b/src/mesa/vbo/vbo_exec.h @@ -103,7 +103,7 @@ struct vbo_exec_context GLubyte active_sz[VBO_ATTRIB_MAX]; GLfloat *attrptr[VBO_ATTRIB_MAX]; - struct gl_client_array arrays[VBO_ATTRIB_MAX]; + struct gl_client_array arrays[VERT_ATTRIB_MAX]; /* According to program mode, the values above plus current * values are squashed down to the 32 attributes passed to the diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c index 387d4ee3d4a..acc76479002 100644 --- a/src/mesa/vbo/vbo_exec_api.c +++ b/src/mesa/vbo/vbo_exec_api.c @@ -695,8 +695,14 @@ void vbo_exec_vtx_init( struct vbo_exec_context *exec ) _mesa_install_exec_vtxfmt( exec->ctx, &exec->vtxfmt ); for (i = 0 ; i < VBO_ATTRIB_MAX ; i++) { + ASSERT(i < Elements(exec->vtx.attrsz)); exec->vtx.attrsz[i] = 0; + ASSERT(i < Elements(exec->vtx.active_sz)); exec->vtx.active_sz[i] = 0; + } + for (i = 0 ; i < VERT_ATTRIB_MAX; i++) { + ASSERT(i < Elements(exec->vtx.inputs)); + ASSERT(i < Elements(exec->vtx.arrays)); exec->vtx.inputs[i] = &exec->vtx.arrays[i]; } diff --git a/src/mesa/vbo/vbo_exec_draw.c b/src/mesa/vbo/vbo_exec_draw.c index 0c258c535e0..f41d6294507 100644 --- a/src/mesa/vbo/vbo_exec_draw.c +++ b/src/mesa/vbo/vbo_exec_draw.c @@ -172,6 +172,7 @@ vbo_exec_bind_arrays( GLcontext *ctx ) exec->vtx.inputs[attr] = &vbo->legacy_currval[attr]; } for (attr = 0; attr < MAT_ATTRIB_MAX; attr++) { + ASSERT(attr + 16 < Elements(exec->vtx.inputs)); exec->vtx.inputs[attr + 16] = &vbo->mat_currval[attr]; } map = vbo->map_vp_none; @@ -184,6 +185,7 @@ vbo_exec_bind_arrays( GLcontext *ctx ) */ for (attr = 0; attr < 16; attr++) { exec->vtx.inputs[attr] = &vbo->legacy_currval[attr]; + ASSERT(attr + 16 < Elements(exec->vtx.inputs)); exec->vtx.inputs[attr + 16] = &vbo->generic_currval[attr]; } map = vbo->map_vp_arb; @@ -212,6 +214,8 @@ vbo_exec_bind_arrays( GLcontext *ctx ) if (exec->vtx.attrsz[src]) { /* override the default array set above */ + ASSERT(attr < Elements(exec->vtx.inputs)); + ASSERT(attr < Elements(exec->vtx.arrays)); /* arrays[] */ exec->vtx.inputs[attr] = &arrays[attr]; if (_mesa_is_bufferobj(exec->vtx.bufferobj)) { |