From 1c3f7ab74ce492d6c92f2e3a0f29957fa9a71d96 Mon Sep 17 00:00:00 2001
From: Brian Paul <brianp@vmware.com>
Date: Wed, 4 Nov 2009 17:51:21 -0700
Subject: vbo: fix out-of-bounds array access

The exec->vtx.inputs[] array was being written past its end.  This was
clobbering the following vbo_exec_context::eval state.  Probably not noticed
since evaluators and immediate mode rendering don't happen at the same time.

Fixed the loop in vbo_exec_vtx_init().
Changed the size of the vbo_exec_context::vtx.arrays[] array.
Added a bunch of debug-build assertions.

Issue found by Vinson Lee.
---
 src/mesa/vbo/vbo_exec.h      | 2 +-
 src/mesa/vbo/vbo_exec_api.c  | 6 ++++++
 src/mesa/vbo/vbo_exec_draw.c | 4 ++++
 3 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'src/mesa/vbo')

diff --git a/src/mesa/vbo/vbo_exec.h b/src/mesa/vbo/vbo_exec.h
index e0f44892cff..7fb59261600 100644
--- a/src/mesa/vbo/vbo_exec.h
+++ b/src/mesa/vbo/vbo_exec.h
@@ -103,7 +103,7 @@ struct vbo_exec_context
       GLubyte active_sz[VBO_ATTRIB_MAX];
 
       GLfloat *attrptr[VBO_ATTRIB_MAX]; 
-      struct gl_client_array arrays[VBO_ATTRIB_MAX];
+      struct gl_client_array arrays[VERT_ATTRIB_MAX];
 
       /* According to program mode, the values above plus current
        * values are squashed down to the 32 attributes passed to the
diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c
index 387d4ee3d4a..acc76479002 100644
--- a/src/mesa/vbo/vbo_exec_api.c
+++ b/src/mesa/vbo/vbo_exec_api.c
@@ -695,8 +695,14 @@ void vbo_exec_vtx_init( struct vbo_exec_context *exec )
    _mesa_install_exec_vtxfmt( exec->ctx, &exec->vtxfmt );
 
    for (i = 0 ; i < VBO_ATTRIB_MAX ; i++) {
+      ASSERT(i < Elements(exec->vtx.attrsz));
       exec->vtx.attrsz[i] = 0;
+      ASSERT(i < Elements(exec->vtx.active_sz));
       exec->vtx.active_sz[i] = 0;
+   }
+   for (i = 0 ; i < VERT_ATTRIB_MAX; i++) {
+      ASSERT(i < Elements(exec->vtx.inputs));
+      ASSERT(i < Elements(exec->vtx.arrays));
       exec->vtx.inputs[i] = &exec->vtx.arrays[i];
    }
    
diff --git a/src/mesa/vbo/vbo_exec_draw.c b/src/mesa/vbo/vbo_exec_draw.c
index 0c258c535e0..f41d6294507 100644
--- a/src/mesa/vbo/vbo_exec_draw.c
+++ b/src/mesa/vbo/vbo_exec_draw.c
@@ -172,6 +172,7 @@ vbo_exec_bind_arrays( GLcontext *ctx )
          exec->vtx.inputs[attr] = &vbo->legacy_currval[attr];
       }
       for (attr = 0; attr < MAT_ATTRIB_MAX; attr++) {
+         ASSERT(attr + 16 < Elements(exec->vtx.inputs));
          exec->vtx.inputs[attr + 16] = &vbo->mat_currval[attr];
       }
       map = vbo->map_vp_none;
@@ -184,6 +185,7 @@ vbo_exec_bind_arrays( GLcontext *ctx )
        */
       for (attr = 0; attr < 16; attr++) {
          exec->vtx.inputs[attr] = &vbo->legacy_currval[attr];
+         ASSERT(attr + 16 < Elements(exec->vtx.inputs));
          exec->vtx.inputs[attr + 16] = &vbo->generic_currval[attr];
       }
       map = vbo->map_vp_arb;
@@ -212,6 +214,8 @@ vbo_exec_bind_arrays( GLcontext *ctx )
 
       if (exec->vtx.attrsz[src]) {
          /* override the default array set above */
+         ASSERT(attr < Elements(exec->vtx.inputs));
+         ASSERT(attr < Elements(exec->vtx.arrays)); /* arrays[] */
          exec->vtx.inputs[attr] = &arrays[attr];
 
          if (_mesa_is_bufferobj(exec->vtx.bufferobj)) {
-- 
cgit v1.2.3


From 133501bef2933395f14b2ebdfeda84279be93c60 Mon Sep 17 00:00:00 2001
From: Brian Paul <brianp@vmware.com>
Date: Tue, 17 Nov 2009 16:16:16 -0700
Subject: mesa: fix assorted compiler warnings

---
 src/mesa/shader/program_parser.h      | 2 +-
 src/mesa/shader/slang/slang_codegen.c | 2 +-
 src/mesa/state_tracker/st_atom.c      | 8 ++++----
 src/mesa/state_tracker/st_cb_bitmap.c | 2 +-
 src/mesa/state_tracker/st_program.c   | 4 ++--
 src/mesa/vbo/vbo_exec_array.c         | 2 +-
 6 files changed, 10 insertions(+), 10 deletions(-)

(limited to 'src/mesa/vbo')

diff --git a/src/mesa/shader/program_parser.h b/src/mesa/shader/program_parser.h
index bce6041381f..c170948f73a 100644
--- a/src/mesa/shader/program_parser.h
+++ b/src/mesa/shader/program_parser.h
@@ -35,7 +35,7 @@ enum asm_type {
    at_attrib,
    at_param,
    at_temp,
-   at_output,
+   at_output
 };
 
 struct asm_symbol {
diff --git a/src/mesa/shader/slang/slang_codegen.c b/src/mesa/shader/slang/slang_codegen.c
index 344dfdc6804..ee5a50ca82e 100644
--- a/src/mesa/shader/slang/slang_codegen.c
+++ b/src/mesa/shader/slang/slang_codegen.c
@@ -925,7 +925,7 @@ gen_return_with_expression(slang_assemble_ctx *A, slang_operation *oper)
       slang_operation_copy(rhs, &oper->children[0]);
    }
 
-   ///blockOper->locals->outer_scope = oper->locals->outer_scope;
+   /*blockOper->locals->outer_scope = oper->locals->outer_scope;*/
 
    /*slang_print_tree(blockOper, 0);*/
 
diff --git a/src/mesa/state_tracker/st_atom.c b/src/mesa/state_tracker/st_atom.c
index ca15ce1b474..0e89a624c4e 100644
--- a/src/mesa/state_tracker/st_atom.c
+++ b/src/mesa/state_tracker/st_atom.c
@@ -137,7 +137,7 @@ void st_validate_state( struct st_context *st )
    if (state->st == 0)
       return;
 
-//   _mesa_printf("%s %x/%x\n", __FUNCTION__, state->mesa, state->st);
+   /*_mesa_printf("%s %x/%x\n", __FUNCTION__, state->mesa, state->st);*/
 
    if (1) {
       /* Debug version which enforces various sanity checks on the
@@ -152,7 +152,7 @@ void st_validate_state( struct st_context *st )
 	 const struct st_tracked_state *atom = atoms[i];
 	 struct st_state_flags generated;
 	 
-//	 _mesa_printf("atom %s %x/%x\n", atom->name, atom->dirty.mesa, atom->dirty.st);
+	 /*_mesa_printf("atom %s %x/%x\n", atom->name, atom->dirty.mesa, atom->dirty.st);*/
 
 	 if (!(atom->dirty.mesa || atom->dirty.st) ||
 	     !atom->update) {
@@ -162,7 +162,7 @@ void st_validate_state( struct st_context *st )
 
 	 if (check_state(state, &atom->dirty)) {
 	    atoms[i]->update( st );
-//	    _mesa_printf("after: %x\n", atom->dirty.mesa);
+	    /*_mesa_printf("after: %x\n", atom->dirty.mesa);*/
 	 }
 
 	 accumulate_state(&examined, &atom->dirty);
@@ -175,7 +175,7 @@ void st_validate_state( struct st_context *st )
 	 assert(!check_state(&examined, &generated));
 	 prev = *state;
       }
-//      _mesa_printf("\n");
+      /*_mesa_printf("\n");*/
 
    }
    else {
diff --git a/src/mesa/state_tracker/st_cb_bitmap.c b/src/mesa/state_tracker/st_cb_bitmap.c
index a22fa68299b..1960d171bf6 100644
--- a/src/mesa/state_tracker/st_cb_bitmap.c
+++ b/src/mesa/state_tracker/st_cb_bitmap.c
@@ -526,7 +526,7 @@ reset_cache(struct st_context *st)
    struct pipe_screen *screen = pipe->screen;
    struct bitmap_cache *cache = st->bitmap.cache;
 
-   //memset(cache->buffer, 0xff, sizeof(cache->buffer));
+   /*memset(cache->buffer, 0xff, sizeof(cache->buffer));*/
    cache->empty = GL_TRUE;
 
    cache->xmin = 1000000;
diff --git a/src/mesa/state_tracker/st_program.c b/src/mesa/state_tracker/st_program.c
index a9be80ce8f3..6d02722c134 100644
--- a/src/mesa/state_tracker/st_program.c
+++ b/src/mesa/state_tracker/st_program.c
@@ -80,7 +80,7 @@ st_translate_vertex_program(struct st_context *st,
    GLbitfield input_flags[MAX_PROGRAM_INPUTS];
    GLbitfield output_flags[MAX_PROGRAM_OUTPUTS];
 
-//   memset(&vs, 0, sizeof(vs));
+   /*memset(&vs, 0, sizeof(vs));*/
    memset(input_flags, 0, sizeof(input_flags));
    memset(output_flags, 0, sizeof(output_flags));
 
@@ -386,7 +386,7 @@ st_translate_fragment_program(struct st_context *st,
    GLbitfield input_flags[MAX_PROGRAM_INPUTS];
    GLbitfield output_flags[MAX_PROGRAM_OUTPUTS];
 
-//   memset(&fs, 0, sizeof(fs));
+   /*memset(&fs, 0, sizeof(fs));*/
    memset(input_flags, 0, sizeof(input_flags));
    memset(output_flags, 0, sizeof(output_flags));
 
diff --git a/src/mesa/vbo/vbo_exec_array.c b/src/mesa/vbo/vbo_exec_array.c
index fd70b57b72e..6de8f059b79 100644
--- a/src/mesa/vbo/vbo_exec_array.c
+++ b/src/mesa/vbo/vbo_exec_array.c
@@ -146,7 +146,7 @@ check_array_data(GLcontext *ctx, struct gl_client_array *array,
                                array->Ptr, array->BufferObj->Name);
                   f[k] = 1.0; /* XXX replace the bad value! */
                }
-               //assert(!IS_INF_OR_NAN(f[k]));
+               /*assert(!IS_INF_OR_NAN(f[k]));*/
             }
          }
          break;
-- 
cgit v1.2.3


From 2198497203ec427f836978098028abf3350e5e57 Mon Sep 17 00:00:00 2001
From: Brian Paul <brianp@vmware.com>
Date: Thu, 19 Nov 2009 15:17:56 -0700
Subject: vbo: added recursion check in vbo_exec_FlushVertices()

---
 src/mesa/vbo/vbo_exec_api.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'src/mesa/vbo')

diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c
index f72d2d84f38..c90565eae8c 100644
--- a/src/mesa/vbo/vbo_exec_api.c
+++ b/src/mesa/vbo/vbo_exec_api.c
@@ -867,15 +867,27 @@ void vbo_exec_FlushVertices_internal( GLcontext *ctx, GLboolean unmap )
 }
 
 
-
+/**
+ * \param flags  bitmask of FLUSH_STORED_VERTICES, FLUSH_UPDATE_CURRENT
+ */
 void vbo_exec_FlushVertices( GLcontext *ctx, GLuint flags )
 {
    struct vbo_exec_context *exec = &vbo_context(ctx)->exec;
 
+#ifdef DEBUG
+   /* debug check: make sure we don't get called recursively */
+   static GLuint callDepth = 0;
+   callDepth++;
+   assert(callDepth == 1);
+#endif
+
    if (0) _mesa_printf("%s\n", __FUNCTION__);
 
    if (exec->ctx->Driver.CurrentExecPrimitive != PRIM_OUTSIDE_BEGIN_END) {
       if (0) _mesa_printf("%s - inside begin/end\n", __FUNCTION__);
+#ifdef DEBUG
+      callDepth--;
+#endif
       return;
    }
 
@@ -889,6 +901,10 @@ void vbo_exec_FlushVertices( GLcontext *ctx, GLuint flags )
    }
 
    exec->ctx->Driver.NeedFlush &= ~flags;
+
+#ifdef DEBUG
+   callDepth--;
+#endif
 }
 
 
-- 
cgit v1.2.3