diff options
author | Pauli Nieminen <pauli.nieminen@linux.intel.com> | 2012-06-09 00:45:46 +0300 |
---|---|---|
committer | Pauli Nieminen <pauli.nieminen@linux.intel.com> | 2012-06-10 00:26:26 +0300 |
commit | 0498f6b79d1f27ed0d87443e29d16995cb9bf807 (patch) | |
tree | 95d21a5220aac30694b5cf2f3cff57ea63026080 | |
parent | 1aedbd9ce54c2803afd16103c09a706d2f2447fc (diff) |
mesa: Check index buffer offset in DrawElements
DrawElements checks for cound beeing larger than index buffer object.
But application can specify offset to buffer leading to buffer overflow
again. ARB_vertex_buffer_object leaves the case undefined but allows
program termination.
But if we do check the index buffer size it makes sense to check it
correctly.
" What happens when an attempt is made to access data outside the
bounds of the buffer object with a command that dereferences the
arrays?
RESOLVED: ALLOW PROGRAM TERMINATION. In the event of a
software fallback, bounds checking can become impractical. Since
applications don't know the actual address of the buffer object
and only provide an offset, they can't ever guarantee that
out-of-bounds offsets will fall on valid memory. So it's hard to
do any better than this."
Signed-off-by: Pauli Nieminen <pauli.nieminen@linux.intel.com>
-rw-r--r-- | src/mesa/main/api_validate.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c index 02495a15a9..add65f8ea4 100644 --- a/src/mesa/main/api_validate.c +++ b/src/mesa/main/api_validate.c @@ -299,7 +299,8 @@ _mesa_validate_DrawElements(struct gl_context *ctx, if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) { /* use indices in the buffer object */ /* make sure count doesn't go outside buffer bounds */ - if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) { + if (index_bytes(type, count) + (uintptr_t)indices > + ctx->Array.ArrayObj->ElementArrayBufferObj->Size) { _mesa_warning(ctx, "glDrawElements index out of buffer bounds"); return GL_FALSE; } |