gallium: fix memory corruption in u_gen_mipmap.c

Remove the old/initial vbuf allocation in util_create_gen_mipmap(). We were allocating a small vbuf at this point so get_next_slot() didn't have as large of buffer as it expected. So all but the first set_vertex_data() was writing out of bounds. Also added some comments.
2026-01-30 11:30:22 +01:00 · 2008-12-17 18:52:10 -07:00 · 2008-12-17 18:52:10 -07:00 · d1c8af7c0a
commit d1c8af7c0a
parent f0b0794b38
1 changed files with 9 additions and 10 deletions
--- a/src/gallium/auxiliary/util/u_gen_mipmap.c
+++ b/src/gallium/auxiliary/util/u_gen_mipmap.c
@ -760,15 +760,6 @@ util_create_gen_mipmap(struct pipe_context *pipe,
   /* fragment shader */
   ctx->fs = util_make_fragment_tex_shader(pipe, &ctx->frag_shader);

-   ctx->vbuf = pipe_buffer_create(pipe->screen,
-                                  32,
-                                  PIPE_BUFFER_USAGE_VERTEX,
-                                  sizeof(ctx->vertices));
-   if (!ctx->vbuf) {
-      FREE(ctx);
-      return NULL;
-   }
-
   /* vertex data that doesn't change */
   for (i = 0; i < 4; i++) {
      ctx->vertices[i][0][2] = 0.0f; /* z */
@ -777,11 +768,18 @@ util_create_gen_mipmap(struct pipe_context *pipe,
      ctx->vertices[i][1][3] = 1.0f; /* q */
   }

+   /* Note: the actual vertex buffer is allocated as needed below */
+
   return ctx;
 }


-static unsigned get_next_slot( struct gen_mipmap_state *ctx )
+/**
+ * Get next "slot" of vertex space in the vertex buffer.
+ * We're allocating one large vertex buffer and using it piece by piece.
+ */
+static unsigned
+get_next_slot(struct gen_mipmap_state *ctx)
 {
   const unsigned max_slots = 4096 / sizeof ctx->vertices;

@ -798,6 +796,7 @@ static unsigned get_next_slot( struct gen_mipmap_state *ctx )
   return ctx->vbuf_slot++ * sizeof ctx->vertices;
 }

+
 static unsigned
 set_vertex_data(struct gen_mipmap_state *ctx, float width, float height)
 {