[Mesa-dev] translate: fix buffer overflows

Submitted by Zack Rusin on March 4, 2014, 4:13 a.m.

Details

Message ID 1393906385-9023-1-git-send-email-zackr@vmware.com
State New
Headers show

Not browsing as part of any series.

Commit Message

Zack Rusin March 4, 2014, 4:13 a.m.
Because in draw we always inject position at slot 0 whenever
fragment shader would take the maximum number of inputs (32) it
meant that we had PIPE_MAX_ATTRIBS + 1 slots to translate, which
meant that we were crashing with fragment shaders that took
the maximum number of attributes as inputs. The actual max number
of attributes we need to translate thus is PIPE_MAX_ATTRIBS + 1.
---
 src/gallium/auxiliary/translate/translate_generic.c | 2 +-
 src/gallium/auxiliary/translate/translate_sse.c     | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

Patch hide | download patch | download mbox

diff --git a/src/gallium/auxiliary/translate/translate_generic.c b/src/gallium/auxiliary/translate/translate_generic.c
index 5ffce32..82b4d00 100644
--- a/src/gallium/auxiliary/translate/translate_generic.c
+++ b/src/gallium/auxiliary/translate/translate_generic.c
@@ -73,7 +73,7 @@  struct translate_generic {
        */
       int copy_size;
 
-   } attrib[PIPE_MAX_ATTRIBS];
+   } attrib[PIPE_MAX_ATTRIBS + 1];
 
    unsigned nr_attrib;
 };
diff --git a/src/gallium/auxiliary/translate/translate_sse.c b/src/gallium/auxiliary/translate/translate_sse.c
index b6bc222..1833d8a 100644
--- a/src/gallium/auxiliary/translate/translate_sse.c
+++ b/src/gallium/auxiliary/translate/translate_sse.c
@@ -104,15 +104,15 @@  struct translate_sse
    int8_t reg_to_const[16];
    int8_t const_to_reg[NUM_CONSTS];
 
-   struct translate_buffer buffer[PIPE_MAX_ATTRIBS];
+   struct translate_buffer buffer[PIPE_MAX_ATTRIBS + 1];
    unsigned nr_buffers;
 
    /* Multiple buffer variants can map to a single buffer. */
-   struct translate_buffer_variant buffer_variant[PIPE_MAX_ATTRIBS];
+   struct translate_buffer_variant buffer_variant[PIPE_MAX_ATTRIBS + 1];
    unsigned nr_buffer_variants;
 
    /* Multiple elements can map to a single buffer variant. */
-   unsigned element_to_buffer_variant[PIPE_MAX_ATTRIBS];
+   unsigned element_to_buffer_variant[PIPE_MAX_ATTRIBS + 1];
 
    boolean use_instancing;
    unsigned instance_id;

Comments

Looks good.

Adding a few assertions before dereferencing these arrays might come handy in the future.

Jose

----- Original Message -----
> Because in draw we always inject position at slot 0 whenever
> fragment shader would take the maximum number of inputs (32) it
> meant that we had PIPE_MAX_ATTRIBS + 1 slots to translate, which
> meant that we were crashing with fragment shaders that took
> the maximum number of attributes as inputs. The actual max number
> of attributes we need to translate thus is PIPE_MAX_ATTRIBS + 1.
> ---
>  src/gallium/auxiliary/translate/translate_generic.c | 2 +-
>  src/gallium/auxiliary/translate/translate_sse.c     | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/src/gallium/auxiliary/translate/translate_generic.c
> b/src/gallium/auxiliary/translate/translate_generic.c
> index 5ffce32..82b4d00 100644
> --- a/src/gallium/auxiliary/translate/translate_generic.c
> +++ b/src/gallium/auxiliary/translate/translate_generic.c
> @@ -73,7 +73,7 @@ struct translate_generic {
>         */
>        int copy_size;
>  
> -   } attrib[PIPE_MAX_ATTRIBS];
> +   } attrib[PIPE_MAX_ATTRIBS + 1];
>  
>     unsigned nr_attrib;
>  };
> diff --git a/src/gallium/auxiliary/translate/translate_sse.c
> b/src/gallium/auxiliary/translate/translate_sse.c
> index b6bc222..1833d8a 100644
> --- a/src/gallium/auxiliary/translate/translate_sse.c
> +++ b/src/gallium/auxiliary/translate/translate_sse.c
> @@ -104,15 +104,15 @@ struct translate_sse
>     int8_t reg_to_const[16];
>     int8_t const_to_reg[NUM_CONSTS];
>  
> -   struct translate_buffer buffer[PIPE_MAX_ATTRIBS];
> +   struct translate_buffer buffer[PIPE_MAX_ATTRIBS + 1];
>     unsigned nr_buffers;
>  
>     /* Multiple buffer variants can map to a single buffer. */
> -   struct translate_buffer_variant buffer_variant[PIPE_MAX_ATTRIBS];
> +   struct translate_buffer_variant buffer_variant[PIPE_MAX_ATTRIBS + 1];
>     unsigned nr_buffer_variants;
>  
>     /* Multiple elements can map to a single buffer variant. */
> -   unsigned element_to_buffer_variant[PIPE_MAX_ATTRIBS];
> +   unsigned element_to_buffer_variant[PIPE_MAX_ATTRIBS + 1];
>  
>     boolean use_instancing;
>     unsigned instance_id;
> --
> 1.9.0
>