[compiz-dev] [PATCH gles] Fix out-of-bounds GL::bufferData call in GLVertexBuffer::end

Thu, 08 Sep 2011 01:40:43 -0700 

Members vertexData, normalData, colorData, and textureData[] are all
vectors of GLfloat (a scalar, not a vector). The functions
GLVertexBuffer::addVertices, ::addNormals, ::addColors and
::addTexCoords have the number of vectors as parameter but push scalars
into the Data members.

Therefore Data.size() is the number of GLfloats, not e.g. vertices, so
it must not be multiplied by the vertex element count in GL::bufferData
call anymore.

This patch fixes an out-of-bounds read of user memory, which may
sometimes lead to a segmentation fault.

Signed-off-by: Pekka Paalanen <[email protected]>
---
 plugins/opengl/src/vertexbuffer.cpp |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/plugins/opengl/src/vertexbuffer.cpp 
b/plugins/opengl/src/vertexbuffer.cpp
index b748a9a..03e0a25 100644
--- a/plugins/opengl/src/vertexbuffer.cpp
+++ b/plugins/opengl/src/vertexbuffer.cpp
@@ -89,14 +89,14 @@ int GLVertexBuffer::end ()
 
     GL::bindBuffer (GL_ARRAY_BUFFER, priv->vertexBuffer);
     GL::bufferData (GL_ARRAY_BUFFER,
-                    sizeof(GLfloat) * priv->vertexData.size () * 3,
+                    sizeof(GLfloat) * priv->vertexData.size (),
                     &priv->vertexData[0], priv->usage);
 
     if (priv->normalData.size ())
     {
        GL::bindBuffer (GL_ARRAY_BUFFER, priv->normalBuffer);
        GL::bufferData (GL_ARRAY_BUFFER,
-                       sizeof(GLfloat) * priv->normalData.size () * 3,
+                       sizeof(GLfloat) * priv->normalData.size (),
                        &priv->normalData[0], priv->usage);
     }
 
@@ -104,7 +104,7 @@ int GLVertexBuffer::end ()
     {
        GL::bindBuffer (GL_ARRAY_BUFFER, priv->colorBuffer);
        GL::bufferData (GL_ARRAY_BUFFER,
-                       sizeof(GLfloat) * priv->colorData.size () * 4,
+                       sizeof(GLfloat) * priv->colorData.size (),
                        &priv->colorData[0], priv->usage);
     }
 
@@ -114,7 +114,7 @@ int GLVertexBuffer::end ()
        {
            GL::bindBuffer (GL_ARRAY_BUFFER, priv->textureBuffers[i]);
            GL::bufferData (GL_ARRAY_BUFFER,
-                           sizeof(GLfloat) * priv->textureData[i].size () * 2,
+                           sizeof(GLfloat) * priv->textureData[i].size (),
                            &priv->textureData[i][0], priv->usage);
        }
     }
-- 
1.7.3.4

_______________________________________________
dev mailing list
[email protected]
http://lists.compiz.org/mailman/listinfo/dev

Reply via email to