Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
Mesa
mesa-overflow-fix.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mesa-overflow-fix.patch of Package Mesa
commit 1dd84357ec8d6894ec6bbd7040a8e8328015cd16 Author: Zack Rusin <zackr@vmware.com> Date: Mon Mar 3 23:09:58 2014 -0500 translate: fix buffer overflows Because in draw we always inject position at slot 0 whenever fragment shader would take the maximum number of inputs (32) it meant that we had PIPE_MAX_ATTRIBS + 1 slots to translate, which meant that we were crashing with fragment shaders that took the maximum number of attributes as inputs. The actual max number of attributes we need to translate thus is PIPE_MAX_ATTRIBS + 1. Signed-off-by: Zack Rusin <zackr@vmware.com> Reviewed-by: José Fonseca <jfonseca@vmware.com> Reviewed-by: Roland Scheidegger <sroland@vmware.com> Reviewed-by: Matthew McClure <mcclurem@vmware.com> diff --git a/src/gallium/auxiliary/translate/translate.h b/src/gallium/auxiliary/translate/translate.h index d5f23b8..7fe8ff8 100644 --- a/src/gallium/auxiliary/translate/translate.h +++ b/src/gallium/auxiliary/translate/translate.h @@ -44,6 +44,14 @@ #include "pipe/p_format.h" #include "pipe/p_state.h" +/** + * Translate has to work on one more attribute because + * the draw module has to be able to pass the vertex + * position even if the fragment shader already consumes + * PIPE_MAX_ATTRIBS inputs. + */ +#define TRANSLATE_MAX_ATTRIBS (PIPE_MAX_ATTRIBS + 1) + enum translate_element_type { TRANSLATE_ELEMENT_NORMAL, TRANSLATE_ELEMENT_INSTANCE_ID @@ -64,7 +72,7 @@ struct translate_element struct translate_key { unsigned output_stride; unsigned nr_elements; - struct translate_element element[PIPE_MAX_ATTRIBS + 1]; + struct translate_element element[TRANSLATE_MAX_ATTRIBS]; }; diff --git a/src/gallium/auxiliary/translate/translate_cache.c b/src/gallium/auxiliary/translate/translate_cache.c index 2c1c114..bb8bdcb 100644 --- a/src/gallium/auxiliary/translate/translate_cache.c +++ b/src/gallium/auxiliary/translate/translate_cache.c @@ -73,7 +73,7 @@ void translate_cache_destroy(struct translate_cache *cache) static INLINE unsigned translate_hash_key_size(struct translate_key *key) { unsigned size = sizeof(struct translate_key) - - sizeof(struct translate_element) * (PIPE_MAX_ATTRIBS - key->nr_elements); + sizeof(struct translate_element) * (TRANSLATE_MAX_ATTRIBS - key->nr_elements); return size; } diff --git a/src/gallium/auxiliary/translate/translate_generic.c b/src/gallium/auxiliary/translate/translate_generic.c index 5ffce32..26b87c5 100644 --- a/src/gallium/auxiliary/translate/translate_generic.c +++ b/src/gallium/auxiliary/translate/translate_generic.c @@ -73,7 +73,7 @@ struct translate_generic { */ int copy_size; - } attrib[PIPE_MAX_ATTRIBS]; + } attrib[TRANSLATE_MAX_ATTRIBS]; unsigned nr_attrib; }; @@ -799,6 +799,8 @@ struct translate *translate_generic_create( const struct translate_key *key ) if (tg == NULL) return NULL; + assert(key->nr_elements <= TRANSLATE_MAX_ATTRIBS); + tg->translate.key = *key; tg->translate.release = generic_release; tg->translate.set_buffer = generic_set_buffer; diff --git a/src/gallium/auxiliary/translate/translate_sse.c b/src/gallium/auxiliary/translate/translate_sse.c index b6bc222..1b698cd 100644 --- a/src/gallium/auxiliary/translate/translate_sse.c +++ b/src/gallium/auxiliary/translate/translate_sse.c @@ -104,15 +104,15 @@ struct translate_sse int8_t reg_to_const[16]; int8_t const_to_reg[NUM_CONSTS]; - struct translate_buffer buffer[PIPE_MAX_ATTRIBS]; + struct translate_buffer buffer[TRANSLATE_MAX_ATTRIBS]; unsigned nr_buffers; /* Multiple buffer variants can map to a single buffer. */ - struct translate_buffer_variant buffer_variant[PIPE_MAX_ATTRIBS]; + struct translate_buffer_variant buffer_variant[TRANSLATE_MAX_ATTRIBS]; unsigned nr_buffer_variants; /* Multiple elements can map to a single buffer variant. */ - unsigned element_to_buffer_variant[PIPE_MAX_ATTRIBS]; + unsigned element_to_buffer_variant[TRANSLATE_MAX_ATTRIBS]; boolean use_instancing; unsigned instance_id; @@ -1494,6 +1494,8 @@ translate_sse2_create(const struct translate_key *key) p->translate.release = translate_sse_release; p->translate.set_buffer = translate_sse_set_buffer; + assert(key->nr_elements <= TRANSLATE_MAX_ATTRIBS); + for (i = 0; i < key->nr_elements; i++) { if (key->element[i].type == TRANSLATE_ELEMENT_NORMAL) { unsigned j;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor