draw: Prevent out-of-bounds vertex buffer access.
Based on some code and ideas from Keith Whitwell.
This commit is contained in:
parent
4a7f013f9d
commit
3733da31e8
|
@ -107,6 +107,7 @@ C_SOURCES = \
|
||||||
util/u_caps.c \
|
util/u_caps.c \
|
||||||
util/u_cpu_detect.c \
|
util/u_cpu_detect.c \
|
||||||
util/u_dl.c \
|
util/u_dl.c \
|
||||||
|
util/u_draw.c \
|
||||||
util/u_draw_quad.c \
|
util/u_draw_quad.c \
|
||||||
util/u_format.c \
|
util/u_format.c \
|
||||||
util/u_format_other.c \
|
util/u_format_other.c \
|
||||||
|
|
|
@ -154,6 +154,7 @@ source = [
|
||||||
'util/u_dump_defines.c',
|
'util/u_dump_defines.c',
|
||||||
'util/u_dump_state.c',
|
'util/u_dump_state.c',
|
||||||
'util/u_dl.c',
|
'util/u_dl.c',
|
||||||
|
'util/u_draw.c',
|
||||||
'util/u_draw_quad.c',
|
'util/u_draw_quad.c',
|
||||||
'util/u_format.c',
|
'util/u_format.c',
|
||||||
'util/u_format_other.c',
|
'util/u_format_other.c',
|
||||||
|
|
|
@ -146,6 +146,14 @@ struct draw_context
|
||||||
struct pipe_vertex_buffer vertex_buffer[PIPE_MAX_ATTRIBS];
|
struct pipe_vertex_buffer vertex_buffer[PIPE_MAX_ATTRIBS];
|
||||||
unsigned nr_vertex_buffers;
|
unsigned nr_vertex_buffers;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This is the largest legal index value for the current set of
|
||||||
|
* bound vertex buffers. Regardless of any other consideration,
|
||||||
|
* all vertex lookups need to be clamped to 0..max_index to
|
||||||
|
* prevent out-of-bound access.
|
||||||
|
*/
|
||||||
|
unsigned max_index;
|
||||||
|
|
||||||
struct pipe_vertex_element vertex_element[PIPE_MAX_ATTRIBS];
|
struct pipe_vertex_element vertex_element[PIPE_MAX_ATTRIBS];
|
||||||
unsigned nr_vertex_elements;
|
unsigned nr_vertex_elements;
|
||||||
|
|
||||||
|
|
|
@ -470,6 +470,17 @@ draw_vbo(struct draw_context *draw,
|
||||||
if (0)
|
if (0)
|
||||||
draw_print_arrays(draw, info->mode, info->start, MIN2(info->count, 20));
|
draw_print_arrays(draw, info->mode, info->start, MIN2(info->count, 20));
|
||||||
|
|
||||||
|
draw->pt.max_index = util_draw_max_index(draw->pt.vertex_buffer,
|
||||||
|
draw->pt.nr_vertex_buffers,
|
||||||
|
draw->pt.vertex_element,
|
||||||
|
draw->pt.nr_vertex_elements,
|
||||||
|
info);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* TODO: We could use draw->pt.max_index to further narrow
|
||||||
|
* the min_index/max_index hints given by the state tracker.
|
||||||
|
*/
|
||||||
|
|
||||||
for (instance = 0; instance < info->instance_count; instance++) {
|
for (instance = 0; instance < info->instance_count; instance++) {
|
||||||
draw->instance_id = instance + info->start_instance;
|
draw->instance_id = instance + info->start_instance;
|
||||||
|
|
||||||
|
|
|
@ -139,7 +139,7 @@ void draw_pt_fetch_run( struct pt_fetch *fetch,
|
||||||
((char *)draw->pt.user.vbuffer[i] +
|
((char *)draw->pt.user.vbuffer[i] +
|
||||||
draw->pt.vertex_buffer[i].buffer_offset),
|
draw->pt.vertex_buffer[i].buffer_offset),
|
||||||
draw->pt.vertex_buffer[i].stride,
|
draw->pt.vertex_buffer[i].stride,
|
||||||
draw->pt.user.max_index);
|
draw->pt.max_index);
|
||||||
}
|
}
|
||||||
|
|
||||||
translate->run_elts( translate,
|
translate->run_elts( translate,
|
||||||
|
|
|
@ -186,7 +186,7 @@ static void fetch_emit_prepare( struct draw_pt_middle_end *middle,
|
||||||
((char *)draw->pt.user.vbuffer[i] +
|
((char *)draw->pt.user.vbuffer[i] +
|
||||||
draw->pt.vertex_buffer[i].buffer_offset),
|
draw->pt.vertex_buffer[i].buffer_offset),
|
||||||
draw->pt.vertex_buffer[i].stride,
|
draw->pt.vertex_buffer[i].stride,
|
||||||
draw->pt.user.max_index);
|
draw->pt.max_index);
|
||||||
}
|
}
|
||||||
|
|
||||||
*max_vertices = (draw->render->max_vertex_buffer_bytes /
|
*max_vertices = (draw->render->max_vertex_buffer_bytes /
|
||||||
|
|
|
@ -169,7 +169,7 @@ static void fse_prepare( struct draw_pt_middle_end *middle,
|
||||||
((const ubyte *) draw->pt.user.vbuffer[i] +
|
((const ubyte *) draw->pt.user.vbuffer[i] +
|
||||||
draw->pt.vertex_buffer[i].buffer_offset),
|
draw->pt.vertex_buffer[i].buffer_offset),
|
||||||
draw->pt.vertex_buffer[i].stride,
|
draw->pt.vertex_buffer[i].stride,
|
||||||
draw->pt.user.max_index );
|
draw->pt.max_index );
|
||||||
}
|
}
|
||||||
|
|
||||||
*max_vertices = (draw->render->max_vertex_buffer_bytes /
|
*max_vertices = (draw->render->max_vertex_buffer_bytes /
|
||||||
|
|
|
@ -85,7 +85,12 @@ vsplit_flush_cache(struct vsplit_frontend *vsplit, unsigned flags)
|
||||||
static INLINE void
|
static INLINE void
|
||||||
vsplit_add_cache(struct vsplit_frontend *vsplit, unsigned fetch)
|
vsplit_add_cache(struct vsplit_frontend *vsplit, unsigned fetch)
|
||||||
{
|
{
|
||||||
unsigned hash = fetch % MAP_SIZE;
|
struct draw_context *draw = vsplit->draw;
|
||||||
|
unsigned hash;
|
||||||
|
|
||||||
|
fetch = MIN2(fetch, draw->pt.max_index);
|
||||||
|
|
||||||
|
hash = fetch % MAP_SIZE;
|
||||||
|
|
||||||
if (vsplit->cache.fetches[hash] != fetch) {
|
if (vsplit->cache.fetches[hash] != fetch) {
|
||||||
/* update cache */
|
/* update cache */
|
||||||
|
|
|
@ -56,7 +56,9 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit,
|
||||||
|
|
||||||
for (i = 0; i < icount; i++) {
|
for (i = 0; i < icount; i++) {
|
||||||
ELT_TYPE idx = ib[i];
|
ELT_TYPE idx = ib[i];
|
||||||
assert(idx >= min_index && idx <= max_index);
|
if (idx >= min_index && idx <= max_index) {
|
||||||
|
debug_printf("warning: index out of range\n");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
draw_elts = (const ushort *) ib;
|
draw_elts = (const ushort *) ib;
|
||||||
}
|
}
|
||||||
|
@ -87,7 +89,9 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit,
|
||||||
for (i = 0; i < icount; i++) {
|
for (i = 0; i < icount; i++) {
|
||||||
ELT_TYPE idx = ib[i];
|
ELT_TYPE idx = ib[i];
|
||||||
|
|
||||||
assert(idx >= min_index && idx <= max_index);
|
if (idx >= min_index && idx <= max_index) {
|
||||||
|
debug_printf("warning: index out of range\n");
|
||||||
|
}
|
||||||
vsplit->draw_elts[i] = (ushort) idx;
|
vsplit->draw_elts[i] = (ushort) idx;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -95,7 +99,9 @@ CONCAT(vsplit_primitive_, ELT_TYPE)(struct vsplit_frontend *vsplit,
|
||||||
for (i = 0; i < icount; i++) {
|
for (i = 0; i < icount; i++) {
|
||||||
ELT_TYPE idx = ib[i];
|
ELT_TYPE idx = ib[i];
|
||||||
|
|
||||||
assert(idx >= min_index && idx <= max_index);
|
if (idx >= min_index && idx <= max_index) {
|
||||||
|
debug_printf("warning: index out of range\n");
|
||||||
|
}
|
||||||
vsplit->draw_elts[i] = (ushort) (idx - min_index);
|
vsplit->draw_elts[i] = (ushort) (idx - min_index);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,99 @@
|
||||||
|
/**************************************************************************
|
||||||
|
*
|
||||||
|
* Copyright 2011 VMware, Inc.
|
||||||
|
* All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
||||||
|
* copy of this software and associated documentation files (the
|
||||||
|
* "Software"), to deal in the Software without restriction, including
|
||||||
|
* without limitation the rights to use, copy, modify, merge, publish,
|
||||||
|
* distribute, sub license, and/or sell copies of the Software, and to
|
||||||
|
* permit persons to whom the Software is furnished to do so, subject to
|
||||||
|
* the following conditions:
|
||||||
|
*
|
||||||
|
* The above copyright notice and this permission notice (including the
|
||||||
|
* next paragraph) shall be included in all copies or substantial portions
|
||||||
|
* of the Software.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||||
|
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||||
|
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
|
||||||
|
* IN NO EVENT SHALL VMWARE AND/OR ITS SUPPLIERS BE LIABLE FOR
|
||||||
|
* ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
||||||
|
* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
||||||
|
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
*
|
||||||
|
**************************************************************************/
|
||||||
|
|
||||||
|
|
||||||
|
#include "util/u_debug.h"
|
||||||
|
#include "util/u_math.h"
|
||||||
|
#include "util/u_format.h"
|
||||||
|
#include "util/u_draw.h"
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the largest legal index value for the current set of bound vertex
|
||||||
|
* buffers. Regardless of any other consideration, all vertex lookups need to
|
||||||
|
* be clamped to 0..max_index to prevent an out-of-bound access.
|
||||||
|
*/
|
||||||
|
unsigned
|
||||||
|
util_draw_max_index(
|
||||||
|
const struct pipe_vertex_buffer *vertex_buffers,
|
||||||
|
unsigned nr_vertex_buffers,
|
||||||
|
const struct pipe_vertex_element *vertex_elements,
|
||||||
|
unsigned nr_vertex_elements,
|
||||||
|
const struct pipe_draw_info *info)
|
||||||
|
{
|
||||||
|
unsigned max_index;
|
||||||
|
unsigned i;
|
||||||
|
|
||||||
|
max_index = ~0;
|
||||||
|
for (i = 0; i < nr_vertex_elements; i++) {
|
||||||
|
const struct pipe_vertex_element *element =
|
||||||
|
&vertex_elements[i];
|
||||||
|
const struct pipe_vertex_buffer *buffer =
|
||||||
|
&vertex_buffers[element->vertex_buffer_index];
|
||||||
|
unsigned buffer_size;
|
||||||
|
const struct util_format_description *format_desc;
|
||||||
|
unsigned format_size;
|
||||||
|
|
||||||
|
assert(buffer->buffer->height0 == 1);
|
||||||
|
assert(buffer->buffer->depth0 == 1);
|
||||||
|
buffer_size = buffer->buffer->width0;
|
||||||
|
|
||||||
|
format_desc = util_format_description(element->src_format);
|
||||||
|
assert(format_desc->block.width == 1);
|
||||||
|
assert(format_desc->block.height == 1);
|
||||||
|
assert(format_desc->block.bits % 8 == 0);
|
||||||
|
format_size = format_desc->block.bits/8;
|
||||||
|
|
||||||
|
assert(buffer_size - buffer->buffer_offset <= buffer_size);
|
||||||
|
buffer_size -= buffer->buffer_offset;
|
||||||
|
|
||||||
|
assert(buffer_size - element->src_offset <= buffer_size);
|
||||||
|
buffer_size -= element->src_offset;
|
||||||
|
|
||||||
|
assert(buffer_size - format_size <= buffer_size);
|
||||||
|
buffer_size -= format_size;
|
||||||
|
|
||||||
|
if (buffer->stride != 0) {
|
||||||
|
unsigned buffer_max_index;
|
||||||
|
|
||||||
|
buffer_max_index = buffer_size / buffer->stride;
|
||||||
|
|
||||||
|
if (element->instance_divisor == 0) {
|
||||||
|
/* Per-vertex data */
|
||||||
|
max_index = MIN2(max_index, buffer_max_index);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
/* Per-instance data. Simply make sure the state tracker didn't
|
||||||
|
* request more instances than those that fit in the buffer */
|
||||||
|
assert((info->start_instance + info->instance_count)/element->instance_divisor
|
||||||
|
<= (buffer_max_index + 1));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return max_index;
|
||||||
|
}
|
|
@ -34,6 +34,11 @@
|
||||||
#include "pipe/p_state.h"
|
#include "pipe/p_state.h"
|
||||||
|
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
static INLINE void
|
static INLINE void
|
||||||
util_draw_init_info(struct pipe_draw_info *info)
|
util_draw_init_info(struct pipe_draw_info *info)
|
||||||
{
|
{
|
||||||
|
@ -136,4 +141,18 @@ util_draw_range_elements(struct pipe_context *pipe,
|
||||||
pipe->draw_vbo(pipe, &info);
|
pipe->draw_vbo(pipe, &info);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
unsigned
|
||||||
|
util_draw_max_index(
|
||||||
|
const struct pipe_vertex_buffer *vertex_buffers,
|
||||||
|
unsigned nr_vertex_buffers,
|
||||||
|
const struct pipe_vertex_element *vertex_elements,
|
||||||
|
unsigned nr_vertex_elements,
|
||||||
|
const struct pipe_draw_info *info);
|
||||||
|
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#endif /* !U_DRAW_H */
|
||||||
|
|
Loading…
Reference in New Issue