util/primconvert: Avoid OoB with improbable draws
Detect when the temporary index buffer cannot be generated due to too large primitive count, and simply drop the draw on the floor. Fixes a webgl reachable asan/crash. Cc: mesa-stable Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/12092 Signed-off-by: Rob Clark <robdclark@chromium.org> Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io> Reviewed-By: Mike Blumenkrantz <michael.blumenkrantz@gmail.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/31914>
This commit is contained in:
Rob Clark
@@ -221,8 +221,13 @@ primconvert_init_draw(struct primconvert_context *pc,
|
||||
}
|
||||
|
||||
/* (step 5: allocate gpu memory sized for the FINAL index count) */
|
||||
u_upload_alloc(pc->pipe->stream_uploader, 0, new_info->index_size * new_draw->count, 4,
|
||||
uint64_t new_size = (uint64_t)new_info->index_size * new_draw->count;
|
||||
if (new_size > UINT_MAX)
|
||||
return false;
|
||||
u_upload_alloc(pc->pipe->stream_uploader, 0, new_size, 4,
|
||||
&ib_offset, &new_info->index.resource, &dst);
|
||||
if (!dst)
|
||||
return false;
|
||||
new_draw->start = ib_offset / new_info->index_size;
|
||||
new_draw->index_bias = info->index_size ? draw.index_bias : 0;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user