mesa: Check index buffer offset in DrawElements

DrawElements checks for count beeing larger than index buffer object. But application can specify offset to buffer leading to buffer overflow again. ARB_vertex_buffer_object leaves the case undefined but allows program termination. But if we do check the index buffer size it makes sense to check it correctly. " What happens when an attempt is made to access data outside the bounds of the buffer object with a command that dereferences the arrays? RESOLVED: ALLOW PROGRAM TERMINATION. In the event of a software fallback, bounds checking can become impractical. Since applications don't know the actual address of the buffer object and only provide an offset, they can't ever guarantee that out-of-bounds offsets will fall on valid memory. So it's hard to do any better than this." Signed-off-by: Pauli Nieminen <pauli.nieminen@linux.intel.com> Reviewed-by: Brian Paul <brianp@vmware.com>
author: Pauli Nieminen <pauli.nieminen@linux.intel.com> 2012-06-09 00:45:46 +0300
committer: Pauli Nieminen <pauli.nieminen@linux.intel.com> 2012-06-12 18:39:48 +0300
commit: 0be46a68caee74beca744988ef5dd06c1ea321b5 (patch)
tree: b79d0c5467dec8bbc9cd693fe77c919d4efb8ddf
parent: cd4cc3037d780000099b4da3d0bbf835ac96bb83 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c
index 02495a15a9..d36f6dea72 100644
--- a/src/mesa/main/api_validate.c
+++ b/src/mesa/main/api_validate.c
@@ -299,7 +299,8 @@ _mesa_validate_DrawElements(struct gl_context *ctx,
    if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
       /* use indices in the buffer object */
       /* make sure count doesn't go outside buffer bounds */
-      if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+      if (index_bytes(type, count) + (GLintptr)indices >
+          ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
          _mesa_warning(ctx, "glDrawElements index out of buffer bounds");
          return GL_FALSE;
       }
@@ -359,7 +360,8 @@ _mesa_validate_DrawRangeElements(struct gl_context *ctx, GLenum mode,
    if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
       /* use indices in the buffer object */
       /* make sure count doesn't go outside buffer bounds */
-      if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+      if (index_bytes(type, count) + (GLintptr)indices >
+          ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
          _mesa_warning(ctx, "glDrawRangeElements index out of buffer bounds");
          return GL_FALSE;
       }
@@ -493,7 +495,8 @@ _mesa_validate_DrawElementsInstanced(struct gl_context *ctx,
    if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
       /* use indices in the buffer object */
       /* make sure count doesn't go outside buffer bounds */
-      if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+      if (index_bytes(type, count) + (GLintptr)indices >
+          ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
          _mesa_warning(ctx,
                        "glDrawElementsInstanced index out of buffer bounds");
          return GL_FALSE;
author	Pauli Nieminen <pauli.nieminen@linux.intel.com>	2012-06-09 00:45:46 +0300
committer	Pauli Nieminen <pauli.nieminen@linux.intel.com>	2012-06-12 18:39:48 +0300
commit	0be46a68caee74beca744988ef5dd06c1ea321b5 (patch)
tree	b79d0c5467dec8bbc9cd693fe77c919d4efb8ddf
parent	cd4cc3037d780000099b4da3d0bbf835ac96bb83 (diff)