For the series: Reviewed-by: Marek Olšák <[email protected]>
Marek On Tue, Jun 20, 2017 at 3:50 AM, Brian Paul <[email protected]> wrote: > A common user error is to call glDrawRangeElements() with the 'end' > argument being one too large. If we use the vbuf module to translate > some vertex attributes this error can cause us to read past the end of > the mapped hardware buffer, resulting in a crash. > > This patch adjusts the vertex count to avoid that issue. Typically, > the vertex_count gets decremented by one. > > This fixes crashes with the Unigine Tropics and Sanctuary demos with older > VMware hardware versions. The issue isn't hit with VGPU10 because we > don't hit this fallback. > > No piglit changes. > > CC: [email protected] > --- > src/gallium/auxiliary/util/u_vbuf.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/src/gallium/auxiliary/util/u_vbuf.c > b/src/gallium/auxiliary/util/u_vbuf.c > index b342f34..6dc8bc7 100644 > --- a/src/gallium/auxiliary/util/u_vbuf.c > +++ b/src/gallium/auxiliary/util/u_vbuf.c > @@ -416,8 +416,22 @@ u_vbuf_translate_buffers(struct u_vbuf *mgr, struct > translate_key *key, > unsigned size = vb->stride ? num_vertices * vb->stride > : sizeof(double)*4; > > - if (offset+size > vb->buffer.resource->width0) { > + if (offset + size > vb->buffer.resource->width0) { > + /* Don't try to map past end of buffer. This often happens when > + * we're translating an attribute that's at offset > 0 from the > + * start of the vertex. If we'd subtract attrib's offset from > + * the size, this probably wouldn't happen. > + */ > size = vb->buffer.resource->width0 - offset; > + > + /* Also adjust num_vertices. A common user error is to call > + * glDrawRangeElements() with incorrect 'end' argument. The 'end > + * value should be the max index value, but people often > + * accidentally add one to this value. This adjustment avoids > + * crashing (by reading past the end of a hardware buffer > mapping) > + * when people do that. > + */ > + num_vertices = (size + vb->stride - 1) / vb->stride; > } > > map = pipe_buffer_map_range(mgr->pipe, vb->buffer.resource, offset, > size, > -- > 1.9.1 > > _______________________________________________ > mesa-dev mailing list > [email protected] > https://lists.freedesktop.org/mailman/listinfo/mesa-dev _______________________________________________ mesa-dev mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/mesa-dev
