AlexIndustrial/mesa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix for buffer overrun caused by ALLOC_STATE not having args surrounded by parenthesis. Can you see it? HINT: Anything texture related should now work slightly better. And yes it took me several hours to find it.

Browse Source
This commit is contained in:
Aapo Tahkola
2005-02-19 02:25:53 +00:00
parent 10b892af96
commit 42896b2a18
4 changed files with 30 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/mesa/drivers/dri/r300/r300_cmdbuf.c
+7 -8
View File
@@ -183,7 +183,6 @@ static __inline__ void r300DoEmitState(r300ContextPtr r300, GLboolean dirty)
}
}
/**
* Copy dirty hardware state atoms into the command buffer.
*
@@ -197,7 +196,7 @@ void r300EmitState(r300ContextPtr r300)
if (r300->cmdbuf.count_used && !r300->hw.is_dirty && !r300->hw.all_dirty)
return;
/* To avoid going across the entire set of states multiple times, just check
* for enough space for the case of emitting all state, and inline the
* r300AllocCmdBuf code here without all the checks.
@@ -270,13 +269,13 @@ CHECK( vpu, vpucount(atom->cmd) ? (1 + vpucount(atom->cmd)*4) : 0 )
#define ALLOC_STATE( ATOM, CHK, SZ, NM, IDX ) \
do { \
r300->hw.ATOM.cmd_size = SZ; \
r300->hw.ATOM.cmd = (uint32_t*)CALLOC(SZ * sizeof(uint32_t)); \
r300->hw.ATOM.name = NM; \
r300->hw.ATOM.idx = IDX; \
r300->hw.ATOM.cmd_size = (SZ); \
r300->hw.ATOM.cmd = (uint32_t*)CALLOC((SZ) * sizeof(uint32_t)); \
r300->hw.ATOM.name = (NM); \
r300->hw.ATOM.idx = (IDX); \
r300->hw.ATOM.check = check_##CHK; \
r300->hw.ATOM.dirty = GL_FALSE; \
r300->hw.max_state_size += SZ; \
r300->hw.max_state_size += (SZ); \
} while (0)
@@ -287,7 +286,7 @@ CHECK( vpu, vpucount(atom->cmd) ? (1 + vpucount(atom->cmd)*4) : 0 )
void r300InitCmdBuf(r300ContextPtr r300)
{
int size, i, mtu;
r300->hw.max_state_size = 0;
mtu = r300->radeon.glCtx->Const.MaxTextureUnits;
src/mesa/drivers/dri/r300/r300_context.h
-2
View File
@@ -414,7 +414,6 @@ struct r300_hw_state {
#ifdef EXP_C
struct r300_state_atom lsf; /* line stipple factor */
#endif
struct r300_state_atom dummy[4];
struct r300_state_atom unk4260; /* (4260) */
struct r300_state_atom unk4274; /* (4274) */
struct r300_state_atom unk4288; /* (4288) */
@@ -456,7 +455,6 @@ struct r300_hw_state {
struct r300_state_atom vpi; /* vp instructions */
struct r300_state_atom vpp; /* vp parameters */
struct r300_state_atom vps; /* vertex point size (?) */
/* 8 texture units */
/* the state is grouped by function and not by
texture unit. This makes single unit updates
src/mesa/drivers/dri/r300/r300_render.c
+2 -3
View File
@@ -614,10 +614,10 @@ static GLboolean r300_run_vb_render(GLcontext *ctx,
struct vertex_buffer *VB = &tnl->vb;
int i, j;
LOCAL_VARS
if (RADEON_DEBUG & DEBUG_PRIMS)
fprintf(stderr, "%s\n", __FUNCTION__);
r300ReleaseArrays(ctx);
r300EmitArrays(ctx, GL_FALSE);
@@ -634,7 +634,6 @@ static GLboolean r300_run_vb_render(GLcontext *ctx,
reg_start(0x4f18,0);
e32(0x00000003);
r300EmitState(rmesa);
rmesa->state.Elts = VB->Elts;
src/mesa/drivers/dri/r300/r300_state.c
+21 -12
View File
@@ -1337,7 +1337,7 @@ void r300_setup_textures(GLcontext *ctx)
R300_STATECHANGE(r300, tex.offset);
R300_STATECHANGE(r300, tex.unknown4);
R300_STATECHANGE(r300, tex.border_color);
r300->state.texture.tc_count=0;
r300->hw.txe.cmd[R300_TXE_ENABLE]=0x0;
@@ -1346,35 +1346,43 @@ void r300_setup_textures(GLcontext *ctx)
if (RADEON_DEBUG & DEBUG_STATE)
fprintf(stderr, "mtu=%d\n", mtu);
if(mtu>R300_MAX_TEXTURE_UNITS){
if(mtu > R300_MAX_TEXTURE_UNITS) {
fprintf(stderr, "Aiiee ! mtu=%d is greater than R300_MAX_TEXTURE_UNITS=%d\n",
mtu, R300_MAX_TEXTURE_UNITS);
exit(-1);
}
for(i=0;i<mtu;i++){
}
for(i=0; i < mtu; i++) {
if( ((r300->state.render_inputs & (_TNL_BIT_TEX0<<i))!=0) != ((ctx->Texture.Unit[i].Enabled)!=0) ) {
WARN_ONCE("Mismatch between render_inputs and ctx->Texture.Unit[i].Enabled value.\n");
}
if(r300->state.render_inputs & (_TNL_BIT_TEX0<<i)){
}
if(r300->state.render_inputs & (_TNL_BIT_TEX0<<i)) {
t=r300->state.texture.unit[i].texobj;
//fprintf(stderr, "format=%08x\n", r300->state.texture.unit[i].format);
r300->state.texture.tc_count++;
if(t==NULL){
if(t == NULL){
fprintf(stderr, "Texture unit %d enabled, but corresponding texobj is NULL, using default object.\n", i);
//exit(-1);
t=&default_tex_obj;
}
}
//fprintf(stderr, "t->format=%08x\n", t->format);
if((t->format & 0xffffff00)==0xffffff00){
if((t->format & 0xffffff00)==0xffffff00) {
WARN_ONCE("unknown texture format (entry %x) encountered. Help me !\n", t->format & 0xff);
//fprintf(stderr, "t->format=%08x\n", t->format);
}
}
if (RADEON_DEBUG & DEBUG_STATE)
fprintf(stderr, "Activating texture unit %d\n", i);
max_texture_unit=i;
r300->hw.txe.cmd[R300_TXE_ENABLE]|=(1<<i);
r300->hw.tex.filter.cmd[R300_TEX_VALUE_0+i]=gen_fixed_filter(t->filter);
r300->hw.tex.unknown1.cmd[R300_TEX_VALUE_0+i]=0x0;
/* No idea why linear filtered textures shake when puting random data */
/*r300->hw.tex.unknown1.cmd[R300_TEX_VALUE_0+i]=(rand()%0xffffffff) & (~0x1fff);*/
r300->hw.tex.size.cmd[R300_TEX_VALUE_0+i]=t->size;
@@ -1383,8 +1391,9 @@ void r300_setup_textures(GLcontext *ctx)
r300->hw.tex.offset.cmd[R300_TEX_VALUE_0+i]=r300->radeon.radeonScreen->fbLocation+t->offset;
r300->hw.tex.unknown4.cmd[R300_TEX_VALUE_0+i]=0x0;
r300->hw.tex.border_color.cmd[R300_TEX_VALUE_0+i]=t->pp_border_color;
}
}
}
((drm_r300_cmd_header_t*)r300->hw.tex.filter.cmd)->unchecked_state.count = max_texture_unit+1;
((drm_r300_cmd_header_t*)r300->hw.tex.unknown1.cmd)->unchecked_state.count = max_texture_unit+1;
((drm_r300_cmd_header_t*)r300->hw.tex.size.cmd)->unchecked_state.count = max_texture_unit+1;