From 1c3f7ab74ce492d6c92f2e3a0f29957fa9a71d96 Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Wed, 4 Nov 2009 17:51:21 -0700 Subject: vbo: fix out-of-bounds array access The exec->vtx.inputs[] array was being written past its end. This was clobbering the following vbo_exec_context::eval state. Probably not noticed since evaluators and immediate mode rendering don't happen at the same time. Fixed the loop in vbo_exec_vtx_init(). Changed the size of the vbo_exec_context::vtx.arrays[] array. Added a bunch of debug-build assertions. Issue found by Vinson Lee. --- src/mesa/vbo/vbo_exec_api.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/mesa/vbo/vbo_exec_api.c') diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c index 387d4ee3d4..acc7647900 100644 --- a/src/mesa/vbo/vbo_exec_api.c +++ b/src/mesa/vbo/vbo_exec_api.c @@ -695,8 +695,14 @@ void vbo_exec_vtx_init( struct vbo_exec_context *exec ) _mesa_install_exec_vtxfmt( exec->ctx, &exec->vtxfmt ); for (i = 0 ; i < VBO_ATTRIB_MAX ; i++) { + ASSERT(i < Elements(exec->vtx.attrsz)); exec->vtx.attrsz[i] = 0; + ASSERT(i < Elements(exec->vtx.active_sz)); exec->vtx.active_sz[i] = 0; + } + for (i = 0 ; i < VERT_ATTRIB_MAX; i++) { + ASSERT(i < Elements(exec->vtx.inputs)); + ASSERT(i < Elements(exec->vtx.arrays)); exec->vtx.inputs[i] = &exec->vtx.arrays[i]; } -- cgit v1.2.3 From 2198497203ec427f836978098028abf3350e5e57 Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Thu, 19 Nov 2009 15:17:56 -0700 Subject: vbo: added recursion check in vbo_exec_FlushVertices() --- src/mesa/vbo/vbo_exec_api.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'src/mesa/vbo/vbo_exec_api.c') diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c index f72d2d84f3..c90565eae8 100644 --- a/src/mesa/vbo/vbo_exec_api.c +++ b/src/mesa/vbo/vbo_exec_api.c @@ -867,15 +867,27 @@ void vbo_exec_FlushVertices_internal( GLcontext *ctx, GLboolean unmap ) } - +/** + * \param flags bitmask of FLUSH_STORED_VERTICES, FLUSH_UPDATE_CURRENT + */ void vbo_exec_FlushVertices( GLcontext *ctx, GLuint flags ) { struct vbo_exec_context *exec = &vbo_context(ctx)->exec; +#ifdef DEBUG + /* debug check: make sure we don't get called recursively */ + static GLuint callDepth = 0; + callDepth++; + assert(callDepth == 1); +#endif + if (0) _mesa_printf("%s\n", __FUNCTION__); if (exec->ctx->Driver.CurrentExecPrimitive != PRIM_OUTSIDE_BEGIN_END) { if (0) _mesa_printf("%s - inside begin/end\n", __FUNCTION__); +#ifdef DEBUG + callDepth--; +#endif return; } @@ -889,6 +901,10 @@ void vbo_exec_FlushVertices( GLcontext *ctx, GLuint flags ) } exec->ctx->Driver.NeedFlush &= ~flags; + +#ifdef DEBUG + callDepth--; +#endif } -- cgit v1.2.3