Mesa (main): draw: Prevent index buffer overflow.

Fri, 11 Nov 2022 05:24:24 -0800 

Module: Mesa
Branch: main
Commit: 6bb5aceb28f5e9583a21786ef43d6de68533f6ee
URL:    
http://cgit.freedesktop.org/mesa/mesa/commit/?id=6bb5aceb28f5e9583a21786ef43d6de68533f6ee

Author: Jose Fonseca <[email protected]>
Date:   Wed Nov  9 09:22:06 2022 +0000

draw: Prevent index buffer overflow.

This prevents segfaults running wgf11draw DrawMethod=DrawIndexed tests
cases.

This change is not, however, sufficient to pass all tests.  That is,
there must remain code paths where indices read beyond the end of the
index buffer do not return zero index.

Reviewed-by: Roland Scheidegger <[email protected]>
Reviewed-by: Brian Paul <[email protected]>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/19648>

---

 src/gallium/auxiliary/draw/draw_pt.c | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/src/gallium/auxiliary/draw/draw_pt.c 
b/src/gallium/auxiliary/draw/draw_pt.c
index 10908e2d23c..9d716732d59 100644
--- a/src/gallium/auxiliary/draw/draw_pt.c
+++ b/src/gallium/auxiliary/draw/draw_pt.c
@@ -365,23 +365,25 @@ prim_restart_loop(struct draw_context *draw,
    const unsigned MAX_LOOP_IDX = 0xffffffff;
 
    for (unsigned j = 0; j < draw_info->count; j++) {
-      unsigned restart_idx = 0;
+      unsigned index = 0;
       unsigned i = draw_overflow_uadd(draw_info->start, j, MAX_LOOP_IDX);
-      switch (draw->pt.user.eltSize) {
-      case 1:
-         restart_idx = ((const uint8_t*)elements)[i];
-         break;
-      case 2:
-         restart_idx = ((const uint16_t*)elements)[i];
-         break;
-      case 4:
-         restart_idx = ((const uint32_t*)elements)[i];
-         break;
-      default:
-         assert(0 && "bad eltSize in draw_arrays()");
+      if (i < elt_max) {
+         switch (draw->pt.user.eltSize) {
+         case 1:
+            index = ((const uint8_t*)elements)[i];
+            break;
+         case 2:
+            index = ((const uint16_t*)elements)[i];
+            break;
+         case 4:
+            index = ((const uint32_t*)elements)[i];
+            break;
+         default:
+            assert(0 && "bad eltSize in draw_arrays()");
+         }
       }
 
-      if (i < elt_max && restart_idx == info->restart_index) {
+      if (index == info->restart_index) {
          if (cur.count > 0) {
             /* draw elts up to prev pos */
             draw_pt_arrays(draw, info->mode, info->index_bias_varies, &cur, 1);

Reply via email to