mesa: Check index buffer offset in DrawElements

DrawElements checks for cound beeing larger than index buffer object.
But application can specify offset to buffer leading to buffer overflow
again. ARB_vertex_buffer_object leaves the case undefined but allows
program termination.

But if we do check the index buffer size it makes sense to check it
correctly.

"   What happens when an attempt is made to access data outside the
    bounds of the buffer object with a command that dereferences the
    arrays?

        RESOLVED: ALLOW PROGRAM TERMINATION.  In the event of a
        software fallback, bounds checking can become impractical. Since
        applications don't know the actual address of the buffer object
        and only provide an offset, they can't ever guarantee that
        out-of-bounds offsets will fall on valid memory.  So it's hard to
        do any better than this."

Signed-off-by: Pauli Nieminen <pauli.nieminen@linux.intel.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/mesa/main/api_validate.c b/src/mesa/main/api_validate.c
index 02495a15a9..add65f8ea4 100644
--- a/src/mesa/main/api_validate.c
+++ b/src/mesa/main/api_validate.c
@@ -299,7 +299,8 @@ _mesa_validate_DrawElements(struct gl_context *ctx,
    if (_mesa_is_bufferobj(ctx->Array.ArrayObj->ElementArrayBufferObj)) {
       /* use indices in the buffer object */
       /* make sure count doesn't go outside buffer bounds */
-      if (index_bytes(type, count) > ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
+      if (index_bytes(type, count) + (uintptr_t)indices >
+          ctx->Array.ArrayObj->ElementArrayBufferObj->Size) {
          _mesa_warning(ctx, "glDrawElements index out of buffer bounds");
          return GL_FALSE;
       }