From 9fde81bb20bbfd2f8da80749cb84d890843a7bc2 Mon Sep 17 00:00:00 2001 From: Nicolai Hähnle Date: Sat, 3 Oct 2009 16:30:16 +0200 Subject: shader_api: Fix bounds checking of glUniform and glUniformMatrix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Nicolai Hähnle Reviewed-by: Ian Romanick --- src/mesa/shader/shader_api.c | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/src/mesa/shader/shader_api.c b/src/mesa/shader/shader_api.c index 178b7d0dbaf..b282d7af60a 100644 --- a/src/mesa/shader/shader_api.c +++ b/src/mesa/shader/shader_api.c @@ -1702,8 +1702,8 @@ set_program_uniform(GLcontext *ctx, struct gl_program *program, /* we'll ignore extra data below */ } else { - /* non-array: count must be one */ - if (count != 1) { + /* non-array: count must be at most one; count == 0 is handled by the loop below */ + if (count > 1) { _mesa_error(ctx, GL_INVALID_OPERATION, "glUniform(uniform is not an array)"); return; @@ -1880,20 +1880,27 @@ set_program_uniform_matrix(GLcontext *ctx, struct gl_program *program, GLboolean transpose, const GLfloat *values) { GLuint mat, row, col; - GLuint dst = index + offset, src = 0; + GLuint src = 0; + const struct gl_program_parameter * param = &program->Parameters->Parameters[index]; + const GLint slots = (param->Size + 3) / 4; + const GLint typeSize = sizeof_glsl_type(param->DataType); GLint nr, nc; /* check that the number of rows, columns is correct */ - get_matrix_dims(program->Parameters->Parameters[index].DataType, &nr, &nc); + get_matrix_dims(param->DataType, &nr, &nc); if (rows != nr || cols != nc) { _mesa_error(ctx, GL_INVALID_OPERATION, "glUniformMatrix(matrix size mismatch)"); return; } - if (index + offset > program->Parameters->Size) { - /* out of bounds! */ - return; + if (param->Size <= typeSize) { + /* non-array: count must be at most one; count == 0 is handled by the loop below */ + if (count > 1) { + _mesa_error(ctx, GL_INVALID_OPERATION, + "glUniformMatrix(uniform is not an array)"); + return; + } } /* @@ -1907,7 +1914,12 @@ set_program_uniform_matrix(GLcontext *ctx, struct gl_program *program, /* each matrix: */ for (col = 0; col < cols; col++) { - GLfloat *v = program->Parameters->ParameterValues[dst]; + GLfloat *v; + if (offset >= slots) { + /* Ignore writes beyond the end of (the used part of) an array */ + return; + } + v = program->Parameters->ParameterValues[index + offset]; for (row = 0; row < rows; row++) { if (transpose) { v[row] = values[src + row * cols + col]; @@ -1916,7 +1928,8 @@ set_program_uniform_matrix(GLcontext *ctx, struct gl_program *program, v[row] = values[src + col * rows + row]; } } - dst++; + + offset++; } src += rows * cols; /* next matrix */ -- cgit v1.2.3