draw: Prevent out-of-bounds vertex buffer access.

Based on some code and ideas from Keith Whitwell.

src/gallium/auxiliary/Makefile

@@ -107,6 +107,7 @@ C_SOURCES = \
 	util/u_caps.c \
 	util/u_cpu_detect.c \
 	util/u_dl.c \
+	util/u_draw.c \
 	util/u_draw_quad.c \
 	util/u_format.c \
 	util/u_format_other.c \

src/gallium/auxiliary/SConscript

@@ -154,6 +154,7 @@ source = [
     'util/u_dump_defines.c',
     'util/u_dump_state.c',
     'util/u_dl.c',
+    'util/u_draw.c',
     'util/u_draw_quad.c',
     'util/u_format.c',
     'util/u_format_other.c',

src/gallium/auxiliary/draw/draw_private.h

@@ -146,6 +146,14 @@ struct draw_context
       struct pipe_vertex_buffer vertex_buffer[PIPE_MAX_ATTRIBS];
       unsigned nr_vertex_buffers;
 
+      /*
+       * This is the largest legal index value for the current set of
+       * bound vertex buffers.  Regardless of any other consideration,
+       * all vertex lookups need to be clamped to 0..max_index to
+       * prevent out-of-bound access.
+       */
+      unsigned max_index;
+
       struct pipe_vertex_element vertex_element[PIPE_MAX_ATTRIBS];
       unsigned nr_vertex_elements;
 

src/gallium/auxiliary/draw/draw_pt.c

@@ -470,6 +470,17 @@ draw_vbo(struct draw_context *draw,
    if (0)
       draw_print_arrays(draw, info->mode, info->start, MIN2(info->count, 20));
 
+   draw->pt.max_index = util_draw_max_index(draw->pt.vertex_buffer,
+                                            draw->pt.nr_vertex_buffers,
+                                            draw->pt.vertex_element,
+                                            draw->pt.nr_vertex_elements,
+                                            info);
+
+   /*
+    * TODO: We could use draw->pt.max_index to further narrow
+    * the min_index/max_index hints given by the state tracker.
+    */
+
    for (instance = 0; instance < info->instance_count; instance++) {
       draw->instance_id = instance + info->start_instance;
 

src/gallium/auxiliary/draw/draw_pt_fetch.c

@@ -139,7 +139,7 @@ void draw_pt_fetch_run( struct pt_fetch *fetch,
 			    ((char *)draw->pt.user.vbuffer[i] + 
 			     draw->pt.vertex_buffer[i].buffer_offset),
 			    draw->pt.vertex_buffer[i].stride,
-			    draw->pt.user.max_index);
+			    draw->pt.max_index);
    }
 
    translate->run_elts( translate,

src/gallium/auxiliary/draw/draw_pt_fetch_emit.c

@@ -186,7 +186,7 @@ static void fetch_emit_prepare( struct draw_pt_middle_end *middle,
                                   ((char *)draw->pt.user.vbuffer[i] + 
                                    draw->pt.vertex_buffer[i].buffer_offset),
                                   draw->pt.vertex_buffer[i].stride,
-                                  draw->pt.user.max_index);
+                                  draw->pt.max_index);
    }
 
    *max_vertices = (draw->render->max_vertex_buffer_bytes / 

src/gallium/auxiliary/draw/draw_pt_fetch_shade_emit.c

@@ -169,7 +169,7 @@ static void fse_prepare( struct draw_pt_middle_end *middle,
                                ((const ubyte *) draw->pt.user.vbuffer[i] + 
                                 draw->pt.vertex_buffer[i].buffer_offset),
                               draw->pt.vertex_buffer[i].stride,
-                              draw->pt.user.max_index );
+                              draw->pt.max_index );
    }
 
    *max_vertices = (draw->render->max_vertex_buffer_bytes / 

src/gallium/auxiliary/draw/draw_pt_vsplit.c

@@ -85,7 +85,12 @@ vsplit_flush_cache(struct vsplit_frontend *vsplit, unsigned flags)
 static INLINE void
 vsplit_add_cache(struct vsplit_frontend *vsplit, unsigned fetch)
 {
-   unsigned hash = fetch % MAP_SIZE;
+   struct draw_context *draw = vsplit->draw;
+   unsigned hash;
+
+   fetch = MIN2(fetch, draw->pt.max_index);
+
+   hash = fetch % MAP_SIZE;
 
    if (vsplit->cache.fetches[hash] != fetch) {
       /* update cache */

src/gallium/auxiliary/draw/draw_pt_vsplit_tmp.h

@@ -56,7 +56,9 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit,
 
       for (i = 0; i < icount; i++) {
          ELT_TYPE idx = ib[i];
-         assert(idx >= min_index && idx <= max_index);
+         if (idx >= min_index && idx <= max_index) {
+            debug_printf("warning: index out of range\n");
+         }
       }
       draw_elts = (const ushort *) ib;
    }
@@ -87,7 +89,9 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit,
          for (i = 0; i < icount; i++) {
             ELT_TYPE idx = ib[i];
 
-            assert(idx >= min_index && idx <= max_index);
+            if (idx >= min_index && idx <= max_index) {
+               debug_printf("warning: index out of range\n");
+	    }
             vsplit->draw_elts[i] = (ushort) idx;
          }
       }
@@ -95,7 +99,9 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit,
          for (i = 0; i < icount; i++) {
             ELT_TYPE idx = ib[i];
 
-            assert(idx >= min_index && idx <= max_index);
+            if (idx >= min_index && idx <= max_index) {
+               debug_printf("warning: index out of range\n");
+	    }
             vsplit->draw_elts[i] = (ushort) (idx - min_index);
          }
       }

src/gallium/auxiliary/util/u_draw.c

@@ -0,0 +1,99 @@
+/**************************************************************************
+ *
+ * Copyright 2011 VMware, Inc.
+ * All Rights Reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sub license, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the
+ * next paragraph) shall be included in all copies or substantial portions
+ * of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
+ * IN NO EVENT SHALL VMWARE AND/OR ITS SUPPLIERS BE LIABLE FOR
+ * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ **************************************************************************/
+
+
+#include "util/u_debug.h"
+#include "util/u_math.h"
+#include "util/u_format.h"
+#include "util/u_draw.h"
+
+
+/**
+ * Returns the largest legal index value for the current set of bound vertex
+ * buffers.  Regardless of any other consideration, all vertex lookups need to
+ * be clamped to 0..max_index to prevent an out-of-bound access.
+ */
+unsigned
+util_draw_max_index(
+      const struct pipe_vertex_buffer *vertex_buffers,
+      unsigned nr_vertex_buffers,
+      const struct pipe_vertex_element *vertex_elements,
+      unsigned nr_vertex_elements,
+      const struct pipe_draw_info *info)
+{
+   unsigned max_index;
+   unsigned i;
+
+   max_index = ~0;
+   for (i = 0; i < nr_vertex_elements; i++) {
+      const struct pipe_vertex_element *element =
+         &vertex_elements[i];
+      const struct pipe_vertex_buffer *buffer =
+         &vertex_buffers[element->vertex_buffer_index];
+      unsigned buffer_size;
+      const struct util_format_description *format_desc;
+      unsigned format_size;
+
+      assert(buffer->buffer->height0 == 1);
+      assert(buffer->buffer->depth0 == 1);
+      buffer_size = buffer->buffer->width0;
+
+      format_desc = util_format_description(element->src_format);
+      assert(format_desc->block.width == 1);
+      assert(format_desc->block.height == 1);
+      assert(format_desc->block.bits % 8 == 0);
+      format_size = format_desc->block.bits/8;
+
+      assert(buffer_size - buffer->buffer_offset <= buffer_size);
+      buffer_size -= buffer->buffer_offset;
+
+      assert(buffer_size - element->src_offset <= buffer_size);
+      buffer_size -= element->src_offset;
+
+      assert(buffer_size - format_size <= buffer_size);
+      buffer_size -= format_size;
+
+      if (buffer->stride != 0) {
+         unsigned buffer_max_index;
+
+         buffer_max_index = buffer_size / buffer->stride;
+
+         if (element->instance_divisor == 0) {
+            /* Per-vertex data */
+            max_index = MIN2(max_index, buffer_max_index);
+         }
+         else {
+            /* Per-instance data. Simply make sure the state tracker didn't
+             * request more instances than those that fit in the buffer */
+            assert((info->start_instance + info->instance_count)/element->instance_divisor
+                   <= (buffer_max_index + 1));
+         }
+      }
+   }
+
+   return max_index;
+}

src/gallium/auxiliary/util/u_draw.h

@@ -34,6 +34,11 @@
 #include "pipe/p_state.h"
 
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
 static INLINE void
 util_draw_init_info(struct pipe_draw_info *info)
 {
@@ -136,4 +141,18 @@ util_draw_range_elements(struct pipe_context *pipe,
    pipe->draw_vbo(pipe, &info);
 }
 
+
+unsigned
+util_draw_max_index(
+      const struct pipe_vertex_buffer *vertex_buffers,
+      unsigned nr_vertex_buffers,
+      const struct pipe_vertex_element *vertex_elements,
+      unsigned nr_vertex_elements,
+      const struct pipe_draw_info *info);
+
+
+#ifdef __cplusplus
+}
 #endif
+
+#endif /* !U_DRAW_H */