[Mesa3d-dev] swrast for AA lines assuming attributes are textures

Fri, 27 Apr 2007 22:40:27 -0700 

The NAME(line) function template in s_aalinetemp.h loop over the
fragment attributes. A bounds check in this functions to perform some
texture-specific computations checks only to ensure that the attribute
is < FRAG_ATTRIB_VAR0, but not >= FRAG_ATTRIB_TEX0. This causes the code
to compute a negative index on the Texture unit array and general chaos
ensues.

That's as good a description as I can construct reading just the local
code. I found a nice segfault in 'scorched3d'. Reviewing the code, I
found several additional instances of the same pattern, so I've patched
all of them. This patch is against current master; if it looks OK, I can
push it.

diff --git a/src/mesa/swrast/s_aalinetemp.h b/src/mesa/swrast/s_aalinetemp.h
index ef26e9e..6ae8eb9 100644
--- a/src/mesa/swrast/s_aalinetemp.h
+++ b/src/mesa/swrast/s_aalinetemp.h
@@ -93,7 +93,7 @@ NAME(plot)(GLcontext *ctx, struct LineInfo *line, int ix, int 
iy)
       attribArray[i][0] = solve_plane(fx, fy, line->sPlane[attr]) * invQ;
       attribArray[i][1] = solve_plane(fx, fy, line->tPlane[attr]) * invQ;
       attribArray[i][2] = solve_plane(fx, fy, line->uPlane[attr]) * invQ;
-      if (attr < FRAG_ATTRIB_VAR0) {
+      if (attr < FRAG_ATTRIB_VAR0 && attr >= FRAG_ATTRIB_TEX0) {
          const GLuint unit = attr - FRAG_ATTRIB_TEX0;
          line->span.array->lambda[unit][i]
             = compute_lambda(line->sPlane[attr],
@@ -220,7 +220,7 @@ NAME(line)(GLcontext *ctx, const SWvertex *v0, const 
SWvertex *v1)
          compute_plane(line.x0, line.y0, line.x1, line.y1, t0, t1, 
line.tPlane[attr]);
          compute_plane(line.x0, line.y0, line.x1, line.y1, r0, r1, 
line.uPlane[attr]);
          compute_plane(line.x0, line.y0, line.x1, line.y1, q0, q1, 
line.vPlane[attr]);
-         if (attr < FRAG_ATTRIB_VAR0) {
+         if (attr < FRAG_ATTRIB_VAR0 && attr >= FRAG_ATTRIB_TEX0) {
             const GLuint u = attr - FRAG_ATTRIB_TEX0;
             const struct gl_texture_object *obj = 
ctx->Texture.Unit[u]._Current;
             const struct gl_texture_image *texImage = 
obj->Image[0][obj->BaseLevel];
diff --git a/src/mesa/swrast/s_aatritemp.h b/src/mesa/swrast/s_aatritemp.h
index 8ff52cb..cb32d40 100644
--- a/src/mesa/swrast/s_aatritemp.h
+++ b/src/mesa/swrast/s_aatritemp.h
@@ -203,7 +203,7 @@
          compute_plane(p0, p1, p2, t0, t1, t2, tPlane[attr]);
          compute_plane(p0, p1, p2, r0, r1, r2, uPlane[attr]);
          compute_plane(p0, p1, p2, q0, q1, q2, vPlane[attr]);
-         if (attr < FRAG_ATTRIB_VAR0) {
+         if (attr < FRAG_ATTRIB_VAR0 && attr >= FRAG_ATTRIB_TEX0) {
             const GLuint u = attr - FRAG_ATTRIB_TEX0;
             const struct gl_texture_object *obj = 
ctx->Texture.Unit[u]._Current;
             const struct gl_texture_image *texImage = 
obj->Image[0][obj->BaseLevel];
@@ -289,7 +289,7 @@
                array->attribs[attr][count][0] = solve_plane(cx, cy, 
sPlane[attr]) * invQ;
                array->attribs[attr][count][1] = solve_plane(cx, cy, 
tPlane[attr]) * invQ;
                array->attribs[attr][count][2] = solve_plane(cx, cy, 
uPlane[attr]) * invQ;
-               if (attr < FRAG_ATTRIB_VAR0) {
+               if (attr < FRAG_ATTRIB_VAR0 && attr >= FRAG_ATTRIB_TEX0) {
                   const GLuint unit = attr - FRAG_ATTRIB_TEX0;
                   array->lambda[unit][count] = compute_lambda(sPlane[attr], 
tPlane[attr],
                                                               vPlane[attr], 
cx, cy, invQ,
@@ -381,7 +381,7 @@
                array->attribs[attr][ix][0] = solve_plane(cx, cy, sPlane[attr]) 
* invQ;
                array->attribs[attr][ix][1] = solve_plane(cx, cy, tPlane[attr]) 
* invQ;
                array->attribs[attr][ix][2] = solve_plane(cx, cy, uPlane[attr]) 
* invQ;
-               if (attr < FRAG_ATTRIB_VAR0) {
+               if (attr < FRAG_ATTRIB_VAR0 && attr >= FRAG_ATTRIB_TEX0) {
                   const GLuint unit = attr - FRAG_ATTRIB_TEX0;
                   array->lambda[unit][ix] = compute_lambda(sPlane[attr],
                                                            tPlane[attr],
diff --git a/src/mesa/swrast/s_pointtemp.h b/src/mesa/swrast/s_pointtemp.h
index 500b3fe..0dff75a 100644
--- a/src/mesa/swrast/s_pointtemp.h
+++ b/src/mesa/swrast/s_pointtemp.h
@@ -275,7 +275,7 @@ NAME ( GLcontext *ctx, const SWvertex *vert )
 #if FLAGS & TEXTURE
             ATTRIB_LOOP_BEGIN
                COPY_4V(span->array->attribs[attr][count], attrib[attr]);
-               if (attr < FRAG_ATTRIB_VAR0) {
+               if (attr < FRAG_ATTRIB_VAR0 && attr >= FRAG_ATTRIB_TEX0) {
                   const GLuint u = attr - FRAG_ATTRIB_TEX0;
                   span->array->lambda[u][count] = 0.0;
                }

-- 
[EMAIL PROTECTED]

Attachment: signature.asc
Description: This is a digitally signed message part

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Mesa3d-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mesa3d-dev

Reply via email to