On Sun, 09 Nov 2014 00:15:49 +0100, Jerome Glisse <j.glisse at gmail.com>
wrote:
> On Sat, Nov 08, 2014 at 11:51:30PM +0100, Glenn Kennard wrote:
>> Signed-off-by: Glenn Kennard <glenn.kennard at gmail.com>
>
> NAK insecure. This is missing any kind of boundary checking for the
> indirect buffer and thus can be abuse.
The indirect command buffer is a fixed format 16 or 20 bytes size, read by
fixed function hardware, which only contains the following:
For PACKET3_DRAW_INDIRECT:
typedef struct {
GLuint count;
GLuint primCount;
GLuint first;
GLuint reservedMustBeZero;
} DrawArraysIndirectCommand;
or PACKET3_DRAW_INDEX_INDIRECT:
typedef struct {
GLuint count;
GLuint primCount;
GLuint firstIndex;
GLint baseVertex;
GLuint reservedMustBeZero;
} DrawElementsIndirectCommand;
Please outline an example of how this would be abused.
/Glenn
