From d1e40c9bddc3516da0facf0d2f3f7db4533a1396 Mon Sep 17 00:00:00 2001
From: Aapo Tahkola <aet@rasterburn.org>
Date: Mon, 28 Feb 2005 00:27:02 +0000
Subject: fix for 'nasty bug' and some sanity checks to avoid buffer overruns.
 Bumping VSF_MAX_FRAGMENT_LENGTH as it seems a bit low otherwise.

---
 src/mesa/drivers/dri/r300/r300_context.c    |  2 +-
 src/mesa/drivers/dri/r300/r300_context.h    | 10 ++--------
 src/mesa/drivers/dri/r300/r300_maos.c       | 11 +++++++++--
 src/mesa/drivers/dri/r300/r300_state.c      |  4 ++--
 src/mesa/drivers/dri/r300/r300_vertexprog.c | 24 +++++++++++++++++++++---
 5 files changed, 35 insertions(+), 16 deletions(-)

(limited to 'src/mesa/drivers/dri')

diff --git a/src/mesa/drivers/dri/r300/r300_context.c b/src/mesa/drivers/dri/r300/r300_context.c
index ca9ee7c1ca..b37e98440f 100644
--- a/src/mesa/drivers/dri/r300/r300_context.c
+++ b/src/mesa/drivers/dri/r300/r300_context.c
@@ -216,7 +216,7 @@ GLboolean r300CreateContext(const __GLcontextModes * glVisual,
 	 * texturable memory at once.
 	 */
 
-	ctx = r300->radeon.glCtx;
+	ctx = r300->radeon.glCtx; 
 	
 	ctx->Const.MaxTextureImageUnits = driQueryOptioni(&r300->radeon.optionCache,
 						     "texture_image_units");
diff --git a/src/mesa/drivers/dri/r300/r300_context.h b/src/mesa/drivers/dri/r300/r300_context.h
index d3dbccc8ed..7879de1b88 100644
--- a/src/mesa/drivers/dri/r300/r300_context.h
+++ b/src/mesa/drivers/dri/r300/r300_context.h
@@ -122,16 +122,11 @@ struct r300_dma_region {
     int aos_reg;        /* VAP register assignment */
 };
 
-#define DUMP_DMA(rmesa) fprintf(stderr, "start=%d, end=%d, prt=%d, offset=%d, stride=%d, size=%d, format=%d, reg=%d\n",\
-rmesa->dma.current.start, rmesa->dma.current.end, rmesa->dma.current.ptr, rmesa->dma.current.aos_offset, \
-rmesa->dma.current.aos_stride, rmesa->dma.current.aos_size, rmesa->dma.current.aos_format, rmesa->dma.current.aos_reg);
-
 struct r300_dma {
 	/* Active dma region.  Allocations for vertices and retained
 	 * regions come from here.  Also used for emitting random vertices,
 	 * these may be flushed by calling flush_current();
 	 */
-	int dummy; /* move this below current to make arbvptorus work */
 	struct r300_dma_region current;
 
 	void (*flush) (r300ContextPtr);
@@ -519,7 +514,7 @@ struct r300_vap_reg_state {
 /* Vertex shader state */
 
 /* 64 appears to be the maximum */
-#define VSF_MAX_FRAGMENT_LENGTH 64
+#define VSF_MAX_FRAGMENT_LENGTH (64*4)
 
 
 struct r300_vertex_shader_fragment {
@@ -676,11 +671,10 @@ struct r300_state {
 	
 	GLuint render_inputs; /* actual render inputs that R300 was configured for. 
 				 They are the same as tnl->render_inputs for fixed pipeline */	
-#if 0
+	
 	struct {
 		int transform_offset;  /* Transform matrix offset, -1 if none */
 		} vap_param;  /* vertex processor parameter allocation - tells where to write parameters */
-#endif
 	int hw_stencil;
 };
 
diff --git a/src/mesa/drivers/dri/r300/r300_maos.c b/src/mesa/drivers/dri/r300/r300_maos.c
index 4fd3dc6eb7..547ab359b9 100644
--- a/src/mesa/drivers/dri/r300/r300_maos.c
+++ b/src/mesa/drivers/dri/r300/r300_maos.c
@@ -52,6 +52,7 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 #define DEBUG_ALL DEBUG_VERTS
 
+
 #if defined(USE_X86_ASM)
 #define COPY_DWORDS( dst, src, nr )					\
 do {									\
@@ -243,6 +244,7 @@ void r300EmitArrays(GLcontext * ctx, GLboolean immd)
 	GLuint aa_vap_reg = 0; /* VAP register assignment */
 	GLuint i;
 	GLuint inputs = 0;
+	
 
 #define CONFIGURE_AOS(r, f, v, sz, cn) { \
 		if (RADEON_DEBUG & DEBUG_STATE) \
@@ -291,10 +293,15 @@ void r300EmitArrays(GLcontext * ctx, GLboolean immd)
 			inputs |= _TNL_BIT_FOG;
 			rmesa->state.aos[nr++].aos_reg = rmesa->current_vp->inputs[VERT_ATTRIB_FOG];
 		}
+		if(ctx->Const.MaxTextureUnits > 8) { /* Not sure if this can even happen... */
+			fprintf(stderr, "%s: Cant handle that many inputs\n", __FUNCTION__);
+			exit(-1);
+		}
 		for (i=0;i<ctx->Const.MaxTextureUnits;i++) {
-			if (rmesa->current_vp->inputs[VERT_ATTRIB_TEX0+i] != -1)
+			if (rmesa->current_vp->inputs[VERT_ATTRIB_TEX0+i] != -1) {
 				inputs |= _TNL_BIT_TEX0<<i;
 				rmesa->state.aos[nr++].aos_reg = rmesa->current_vp->inputs[VERT_ATTRIB_TEX0+i];
+			}
 		}
 		nr = 0;
 	} else {
@@ -310,7 +317,6 @@ void r300EmitArrays(GLcontext * ctx, GLboolean immd)
 
 		vic_1 |= R300_INPUT_CNTL_POS;
 	}
-	//DUMP_DMA(rmesa);
 
 	if (inputs & _TNL_BIT_NORMAL) {
 		CONFIGURE_AOS(i_normal,	AOS_FORMAT_FLOAT,
@@ -368,6 +374,7 @@ void r300EmitArrays(GLcontext * ctx, GLboolean immd)
 			vic_1 |= R300_INPUT_CNTL_TC0 << i;
 		}
 	}
+	
 
 int cmd_reserved=0;
 int cmd_written=0;
diff --git a/src/mesa/drivers/dri/r300/r300_state.c b/src/mesa/drivers/dri/r300/r300_state.c
index e20e34c199..da953ae2ac 100644
--- a/src/mesa/drivers/dri/r300/r300_state.c
+++ b/src/mesa/drivers/dri/r300/r300_state.c
@@ -1515,7 +1515,7 @@ void r300GenerateSimpleVertexShader(r300ContextPtr r300)
 	int i;
 
 	/* Allocate parameters */
-	//r300->state.vap_param.transform_offset=0x0;  /* transform matrix */
+	r300->state.vap_param.transform_offset=0x0;  /* transform matrix */
 	r300->state.vertex_shader.param_offset=0x0;
 	r300->state.vertex_shader.param_count=0x4;  /* 4 vector values - 4x4 matrix */
 	
@@ -1675,6 +1675,7 @@ void r300SetupVertexProgram(r300ContextPtr rmesa)
 	int inst_count;
 	int param_count;
 	LOCAL_VARS
+			
 
 	/* Reset state, in case we don't use something */
 	((drm_r300_cmd_header_t*)rmesa->hw.vpp.cmd)->vpu.count = 0;
@@ -2256,7 +2257,6 @@ void r300ResetHwState(r300ContextPtr r300)
 
 //END: TODO
 	//verify_r300ResetHwState(r300, 0);
-
 	r300->hw.all_dirty = GL_TRUE;
 }
 
diff --git a/src/mesa/drivers/dri/r300/r300_vertexprog.c b/src/mesa/drivers/dri/r300/r300_vertexprog.c
index f4b0d4109a..54aea4917b 100644
--- a/src/mesa/drivers/dri/r300/r300_vertexprog.c
+++ b/src/mesa/drivers/dri/r300/r300_vertexprog.c
@@ -250,7 +250,10 @@ void r300VertexProgUpdateParams(GLcontext *ctx, struct r300_vertex_program *vp)
 	_mesa_load_state_parameters(ctx, mesa_vp->Parameters);
 	
 	//debug_vp(ctx, mesa_vp);
-	
+	if(mesa_vp->Parameters->NumParameters * 4 > VSF_MAX_FRAGMENT_LENGTH){
+		fprintf(stderr, "%s:Params exhausted\n", __FUNCTION__);
+		exit(-1);
+	}
 	dst_index=0;
 	for(pi=0; pi < mesa_vp->Parameters->NumParameters; pi++){
 		switch(mesa_vp->Parameters->Parameters[pi].Type){
@@ -349,7 +352,21 @@ static unsigned long t_swizzle(GLubyte swizzle)
 			exit(0);
 	}
 }
-		
+
+void vp_dump_inputs(struct r300_vertex_program *vp, char *caller)
+{
+	int i;
+	
+	if(vp == NULL)
+		return ;
+	
+	fprintf(stderr, "%s:<", caller);
+	for(i=0; i < VERT_ATTRIB_MAX; i++)
+		fprintf(stderr, "%d ", vp->inputs[i]);
+	fprintf(stderr, ">\n");
+	
+}
+
 static unsigned long t_src_index(struct r300_vertex_program *vp, struct vp_src_register *src)
 {
 	int i;
@@ -366,7 +383,6 @@ static unsigned long t_src_index(struct r300_vertex_program *vp, struct vp_src_r
 			
 		default: printf("unknown input index %d\n", src->Index); exit(0); break;
 		}*/
-				
 		if(vp->inputs[src->Index] != -1)
 			return vp->inputs[src->Index];
 		
@@ -376,6 +392,8 @@ static unsigned long t_src_index(struct r300_vertex_program *vp, struct vp_src_r
 		
 		vp->inputs[src->Index]=max_reg+1;
 		
+		//vp_dump_inputs(vp, __FUNCTION__);	
+		
 		return vp->inputs[src->Index];
 	}else{
 		return src->Index;
-- 
cgit v1.2.3