From 1c3f7ab74ce492d6c92f2e3a0f29957fa9a71d96 Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Wed, 4 Nov 2009 17:51:21 -0700 Subject: vbo: fix out-of-bounds array access The exec->vtx.inputs[] array was being written past its end. This was clobbering the following vbo_exec_context::eval state. Probably not noticed since evaluators and immediate mode rendering don't happen at the same time. Fixed the loop in vbo_exec_vtx_init(). Changed the size of the vbo_exec_context::vtx.arrays[] array. Added a bunch of debug-build assertions. Issue found by Vinson Lee. --- src/mesa/vbo/vbo_exec_draw.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/mesa/vbo/vbo_exec_draw.c') diff --git a/src/mesa/vbo/vbo_exec_draw.c b/src/mesa/vbo/vbo_exec_draw.c index 0c258c535e..f41d629450 100644 --- a/src/mesa/vbo/vbo_exec_draw.c +++ b/src/mesa/vbo/vbo_exec_draw.c @@ -172,6 +172,7 @@ vbo_exec_bind_arrays( GLcontext *ctx ) exec->vtx.inputs[attr] = &vbo->legacy_currval[attr]; } for (attr = 0; attr < MAT_ATTRIB_MAX; attr++) { + ASSERT(attr + 16 < Elements(exec->vtx.inputs)); exec->vtx.inputs[attr + 16] = &vbo->mat_currval[attr]; } map = vbo->map_vp_none; @@ -184,6 +185,7 @@ vbo_exec_bind_arrays( GLcontext *ctx ) */ for (attr = 0; attr < 16; attr++) { exec->vtx.inputs[attr] = &vbo->legacy_currval[attr]; + ASSERT(attr + 16 < Elements(exec->vtx.inputs)); exec->vtx.inputs[attr + 16] = &vbo->generic_currval[attr]; } map = vbo->map_vp_arb; @@ -212,6 +214,8 @@ vbo_exec_bind_arrays( GLcontext *ctx ) if (exec->vtx.attrsz[src]) { /* override the default array set above */ + ASSERT(attr < Elements(exec->vtx.inputs)); + ASSERT(attr < Elements(exec->vtx.arrays)); /* arrays[] */ exec->vtx.inputs[attr] = &arrays[attr]; if (_mesa_is_bufferobj(exec->vtx.bufferobj)) { -- cgit v1.2.3