From 42896b2a18a89c74a2f95e491bed0b7352bef0aa Mon Sep 17 00:00:00 2001 From: Aapo Tahkola Date: Sat, 19 Feb 2005 02:25:53 +0000 Subject: Fix for buffer overrun caused by ALLOC_STATE not having args surrounded by parenthesis. Can you see it? HINT: Anything texture related should now work slightly better. And yes it took me several hours to find it. --- src/mesa/drivers/dri/r300/r300_cmdbuf.c | 15 +++++++-------- src/mesa/drivers/dri/r300/r300_context.h | 2 -- src/mesa/drivers/dri/r300/r300_render.c | 5 ++--- src/mesa/drivers/dri/r300/r300_state.c | 33 ++++++++++++++++++++------------ 4 files changed, 30 insertions(+), 25 deletions(-) (limited to 'src/mesa/drivers/dri') diff --git a/src/mesa/drivers/dri/r300/r300_cmdbuf.c b/src/mesa/drivers/dri/r300/r300_cmdbuf.c index c515b601b0..c9cd137f1c 100644 --- a/src/mesa/drivers/dri/r300/r300_cmdbuf.c +++ b/src/mesa/drivers/dri/r300/r300_cmdbuf.c @@ -183,7 +183,6 @@ static __inline__ void r300DoEmitState(r300ContextPtr r300, GLboolean dirty) } } - /** * Copy dirty hardware state atoms into the command buffer. * @@ -197,7 +196,7 @@ void r300EmitState(r300ContextPtr r300) if (r300->cmdbuf.count_used && !r300->hw.is_dirty && !r300->hw.all_dirty) return; - + /* To avoid going across the entire set of states multiple times, just check * for enough space for the case of emitting all state, and inline the * r300AllocCmdBuf code here without all the checks. @@ -270,13 +269,13 @@ CHECK( vpu, vpucount(atom->cmd) ? (1 + vpucount(atom->cmd)*4) : 0 ) #define ALLOC_STATE( ATOM, CHK, SZ, NM, IDX ) \ do { \ - r300->hw.ATOM.cmd_size = SZ; \ - r300->hw.ATOM.cmd = (uint32_t*)CALLOC(SZ * sizeof(uint32_t)); \ - r300->hw.ATOM.name = NM; \ - r300->hw.ATOM.idx = IDX; \ + r300->hw.ATOM.cmd_size = (SZ); \ + r300->hw.ATOM.cmd = (uint32_t*)CALLOC((SZ) * sizeof(uint32_t)); \ + r300->hw.ATOM.name = (NM); \ + r300->hw.ATOM.idx = (IDX); \ r300->hw.ATOM.check = check_##CHK; \ r300->hw.ATOM.dirty = GL_FALSE; \ - r300->hw.max_state_size += SZ; \ + r300->hw.max_state_size += (SZ); \ } while (0) @@ -287,7 +286,7 @@ CHECK( vpu, vpucount(atom->cmd) ? (1 + vpucount(atom->cmd)*4) : 0 ) void r300InitCmdBuf(r300ContextPtr r300) { int size, i, mtu; - + r300->hw.max_state_size = 0; mtu = r300->radeon.glCtx->Const.MaxTextureUnits; diff --git a/src/mesa/drivers/dri/r300/r300_context.h b/src/mesa/drivers/dri/r300/r300_context.h index 48822d326c..18dc9d1910 100644 --- a/src/mesa/drivers/dri/r300/r300_context.h +++ b/src/mesa/drivers/dri/r300/r300_context.h @@ -414,7 +414,6 @@ struct r300_hw_state { #ifdef EXP_C struct r300_state_atom lsf; /* line stipple factor */ #endif - struct r300_state_atom dummy[4]; struct r300_state_atom unk4260; /* (4260) */ struct r300_state_atom unk4274; /* (4274) */ struct r300_state_atom unk4288; /* (4288) */ @@ -456,7 +455,6 @@ struct r300_hw_state { struct r300_state_atom vpi; /* vp instructions */ struct r300_state_atom vpp; /* vp parameters */ struct r300_state_atom vps; /* vertex point size (?) */ - /* 8 texture units */ /* the state is grouped by function and not by texture unit. This makes single unit updates diff --git a/src/mesa/drivers/dri/r300/r300_render.c b/src/mesa/drivers/dri/r300/r300_render.c index 71977e7e41..2a57828e05 100644 --- a/src/mesa/drivers/dri/r300/r300_render.c +++ b/src/mesa/drivers/dri/r300/r300_render.c @@ -614,10 +614,10 @@ static GLboolean r300_run_vb_render(GLcontext *ctx, struct vertex_buffer *VB = &tnl->vb; int i, j; LOCAL_VARS - + if (RADEON_DEBUG & DEBUG_PRIMS) fprintf(stderr, "%s\n", __FUNCTION__); - + r300ReleaseArrays(ctx); r300EmitArrays(ctx, GL_FALSE); @@ -634,7 +634,6 @@ static GLboolean r300_run_vb_render(GLcontext *ctx, reg_start(0x4f18,0); e32(0x00000003); - r300EmitState(rmesa); rmesa->state.Elts = VB->Elts; diff --git a/src/mesa/drivers/dri/r300/r300_state.c b/src/mesa/drivers/dri/r300/r300_state.c index a811215016..a386564f76 100644 --- a/src/mesa/drivers/dri/r300/r300_state.c +++ b/src/mesa/drivers/dri/r300/r300_state.c @@ -1337,7 +1337,7 @@ void r300_setup_textures(GLcontext *ctx) R300_STATECHANGE(r300, tex.offset); R300_STATECHANGE(r300, tex.unknown4); R300_STATECHANGE(r300, tex.border_color); - + r300->state.texture.tc_count=0; r300->hw.txe.cmd[R300_TXE_ENABLE]=0x0; @@ -1346,35 +1346,43 @@ void r300_setup_textures(GLcontext *ctx) if (RADEON_DEBUG & DEBUG_STATE) fprintf(stderr, "mtu=%d\n", mtu); - if(mtu>R300_MAX_TEXTURE_UNITS){ + if(mtu > R300_MAX_TEXTURE_UNITS) { fprintf(stderr, "Aiiee ! mtu=%d is greater than R300_MAX_TEXTURE_UNITS=%d\n", mtu, R300_MAX_TEXTURE_UNITS); exit(-1); - } - for(i=0;istate.render_inputs & (_TNL_BIT_TEX0<Texture.Unit[i].Enabled)!=0) ) { WARN_ONCE("Mismatch between render_inputs and ctx->Texture.Unit[i].Enabled value.\n"); - } - if(r300->state.render_inputs & (_TNL_BIT_TEX0<state.render_inputs & (_TNL_BIT_TEX0<state.texture.unit[i].texobj; //fprintf(stderr, "format=%08x\n", r300->state.texture.unit[i].format); r300->state.texture.tc_count++; - if(t==NULL){ + + if(t == NULL){ fprintf(stderr, "Texture unit %d enabled, but corresponding texobj is NULL, using default object.\n", i); //exit(-1); t=&default_tex_obj; - } + } + //fprintf(stderr, "t->format=%08x\n", t->format); - if((t->format & 0xffffff00)==0xffffff00){ + if((t->format & 0xffffff00)==0xffffff00) { WARN_ONCE("unknown texture format (entry %x) encountered. Help me !\n", t->format & 0xff); //fprintf(stderr, "t->format=%08x\n", t->format); - } + } + if (RADEON_DEBUG & DEBUG_STATE) fprintf(stderr, "Activating texture unit %d\n", i); max_texture_unit=i; r300->hw.txe.cmd[R300_TXE_ENABLE]|=(1<hw.tex.filter.cmd[R300_TEX_VALUE_0+i]=gen_fixed_filter(t->filter); + r300->hw.tex.unknown1.cmd[R300_TEX_VALUE_0+i]=0x0; + /* No idea why linear filtered textures shake when puting random data */ /*r300->hw.tex.unknown1.cmd[R300_TEX_VALUE_0+i]=(rand()%0xffffffff) & (~0x1fff);*/ r300->hw.tex.size.cmd[R300_TEX_VALUE_0+i]=t->size; @@ -1383,8 +1391,9 @@ void r300_setup_textures(GLcontext *ctx) r300->hw.tex.offset.cmd[R300_TEX_VALUE_0+i]=r300->radeon.radeonScreen->fbLocation+t->offset; r300->hw.tex.unknown4.cmd[R300_TEX_VALUE_0+i]=0x0; r300->hw.tex.border_color.cmd[R300_TEX_VALUE_0+i]=t->pp_border_color; - } } + } + ((drm_r300_cmd_header_t*)r300->hw.tex.filter.cmd)->unchecked_state.count = max_texture_unit+1; ((drm_r300_cmd_header_t*)r300->hw.tex.unknown1.cmd)->unchecked_state.count = max_texture_unit+1; ((drm_r300_cmd_header_t*)r300->hw.tex.size.cmd)->unchecked_state.count = max_texture_unit+1; -- cgit v1.2.3