On 06/11/2012 12:59 AM, Pauli Nieminen wrote:
DrawElements checks for cound beeing larger than index buffer object.
"count being"
But application can specify offset to buffer leading to buffer overflow
again. ARB_vertex_buffer_object leaves the case undefined but allows
program termination.
But indirect glx needs to check to avoid crashing X.
" What happens when an attempt is made to access data outside the
bounds of the buffer object with a command that dereferences the
arrays?
RESOLVED: ALLOW PROGRAM TERMINATION. In the event of a
software fallback, bounds checking can become impractical. Since
applications don't know the actual address of the buffer object
and only provide an offset, they can't ever guarantee that
out-of-bounds offsets will fall on valid memory. So it's hard to
do any better than this."
Signed-off-by: Pauli Nieminen<pauli.niemi...@linux.intel.com>
---
src/mesa/main/api_validate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c
index 02495a1..4382dc9 100644
--- a/src/mesa/main/api_validate.c
+++ b/src/mesa/main/api_validate.c
@@ -299,7 +299,8 @@ _mesa_validate_DrawElements(struct gl_context *ctx,
if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
/* use indices in the buffer object */
/* make sure count doesn't go outside buffer bounds */
- if (index_bytes(type, count)>
ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+ if (index_bytes(type, count) + (GLsizei)indices>
+ ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
_mesa_warning(ctx, "glDrawElements index out of buffer bounds");
return GL_FALSE;
}
Reviewed-by: Brian Paul <bri...@vmware.com>
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
