From 6bb5aceb28f5e9583a21786ef43d6de68533f6ee Mon Sep 17 00:00:00 2001 From: Jose Fonseca Date: Wed, 9 Nov 2022 09:22:06 +0000 Subject: [PATCH] draw: Prevent index buffer overflow. This prevents segfaults running wgf11draw DrawMethod=DrawIndexed tests cases. This change is not, however, sufficient to pass all tests. That is, there must remain code paths where indices read beyond the end of the index buffer do not return zero index. Reviewed-by: Roland Scheidegger Reviewed-by: Brian Paul Part-of: --- src/gallium/auxiliary/draw/draw_pt.c | 30 +++++++++++++++------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/src/gallium/auxiliary/draw/draw_pt.c b/src/gallium/auxiliary/draw/draw_pt.c index 10908e2d23c..9d716732d59 100644 --- a/src/gallium/auxiliary/draw/draw_pt.c +++ b/src/gallium/auxiliary/draw/draw_pt.c @@ -365,23 +365,25 @@ prim_restart_loop(struct draw_context *draw, const unsigned MAX_LOOP_IDX = 0xffffffff; for (unsigned j = 0; j < draw_info->count; j++) { - unsigned restart_idx = 0; + unsigned index = 0; unsigned i = draw_overflow_uadd(draw_info->start, j, MAX_LOOP_IDX); - switch (draw->pt.user.eltSize) { - case 1: - restart_idx = ((const uint8_t*)elements)[i]; - break; - case 2: - restart_idx = ((const uint16_t*)elements)[i]; - break; - case 4: - restart_idx = ((const uint32_t*)elements)[i]; - break; - default: - assert(0 && "bad eltSize in draw_arrays()"); + if (i < elt_max) { + switch (draw->pt.user.eltSize) { + case 1: + index = ((const uint8_t*)elements)[i]; + break; + case 2: + index = ((const uint16_t*)elements)[i]; + break; + case 4: + index = ((const uint32_t*)elements)[i]; + break; + default: + assert(0 && "bad eltSize in draw_arrays()"); + } } - if (i < elt_max && restart_idx == info->restart_index) { + if (index == info->restart_index) { if (cur.count > 0) { /* draw elts up to prev pos */ draw_pt_arrays(draw, info->mode, info->index_bias_varies, &cur, 1);