vbo: fix out-of-bounds array access

The exec->vtx.inputs[] array was being written past its end. This was clobbering the following vbo_exec_context::eval state. Probably not noticed since evaluators and immediate mode rendering don't happen at the same time. Fixed the loop in vbo_exec_vtx_init(). Changed the size of the vbo_exec_context::vtx.arrays[] array. Added a bunch of debug-build assertions. Issue found by Vinson Lee.
2026-05-05 03:08:05 +02:00 · 2009-11-04 17:51:21 -07:00 · 2009-11-04 17:51:21 -07:00 · 1c3f7ab74c
commit 1c3f7ab74c
parent bc4ad7c2ae
3 changed files with 11 additions and 1 deletions
--- a/src/mesa/vbo/vbo_exec.h
+++ b/src/mesa/vbo/vbo_exec.h
@ -103,7 +103,7 @@ struct vbo_exec_context
      GLubyte active_sz[VBO_ATTRIB_MAX];

      GLfloat *attrptr[VBO_ATTRIB_MAX]; 
-      struct gl_client_array arrays[VBO_ATTRIB_MAX];
+      struct gl_client_array arrays[VERT_ATTRIB_MAX];

      /* According to program mode, the values above plus current
       * values are squashed down to the 32 attributes passed to the
--- a/src/mesa/vbo/vbo_exec_api.c
+++ b/src/mesa/vbo/vbo_exec_api.c
@ -695,8 +695,14 @@ void vbo_exec_vtx_init( struct vbo_exec_context *exec )
   _mesa_install_exec_vtxfmt( exec->ctx, &exec->vtxfmt );

   for (i = 0 ; i < VBO_ATTRIB_MAX ; i++) {
+      ASSERT(i < Elements(exec->vtx.attrsz));
      exec->vtx.attrsz[i] = 0;
+      ASSERT(i < Elements(exec->vtx.active_sz));
      exec->vtx.active_sz[i] = 0;
+   }
+   for (i = 0 ; i < VERT_ATTRIB_MAX; i++) {
+      ASSERT(i < Elements(exec->vtx.inputs));
+      ASSERT(i < Elements(exec->vtx.arrays));
      exec->vtx.inputs[i] = &exec->vtx.arrays[i];
   }
   
--- a/src/mesa/vbo/vbo_exec_draw.c
+++ b/src/mesa/vbo/vbo_exec_draw.c
@ -172,6 +172,7 @@ vbo_exec_bind_arrays( GLcontext *ctx )
         exec->vtx.inputs[attr] = &vbo->legacy_currval[attr];
      }
      for (attr = 0; attr < MAT_ATTRIB_MAX; attr++) {
+         ASSERT(attr + 16 < Elements(exec->vtx.inputs));
         exec->vtx.inputs[attr + 16] = &vbo->mat_currval[attr];
      }
      map = vbo->map_vp_none;
@ -184,6 +185,7 @@ vbo_exec_bind_arrays( GLcontext *ctx )
       */
      for (attr = 0; attr < 16; attr++) {
         exec->vtx.inputs[attr] = &vbo->legacy_currval[attr];
+         ASSERT(attr + 16 < Elements(exec->vtx.inputs));
         exec->vtx.inputs[attr + 16] = &vbo->generic_currval[attr];
      }
      map = vbo->map_vp_arb;
@ -212,6 +214,8 @@ vbo_exec_bind_arrays( GLcontext *ctx )

      if (exec->vtx.attrsz[src]) {
         /* override the default array set above */
+         ASSERT(attr < Elements(exec->vtx.inputs));
+         ASSERT(attr < Elements(exec->vtx.arrays)); /* arrays[] */
         exec->vtx.inputs[attr] = &arrays[attr];

         if (_mesa_is_bufferobj(exec->vtx.bufferobj)) {