Mesa (staging/22.0): vbo/dlist: do not try to pad an empty draw

Thu, 21 Apr 2022 10:29:23 -0700 

Module: Mesa
Branch: staging/22.0
Commit: 33d0d5fb142cef3b408dfa0e0bb21bc8b64f799a
URL:    
http://cgit.freedesktop.org/mesa/mesa/commit/?id=33d0d5fb142cef3b408dfa0e0bb21bc8b64f799a

Author: Erik Faye-Lund <kusmab...@gmail.com>
Date:   Tue Mar 29 12:38:46 2022 +0200

vbo/dlist: do not try to pad an empty draw

In the case where u_index_generator returns zero new vertices, we never
filled tmp_indices before trying to duplicate the last veretx. This
causes us to read unitialized memory.

This fixes a Valgrind issue triggering in glxgears on Zink:

---8<---
==296461== Invalid read of size 2
==296461==    at 0x570F335: compile_vertex_list (vbo_save_api.c:733)
==296461==    by 0x570FEFB: wrap_buffers (vbo_save_api.c:1021)
==296461==    by 0x571050A: upgrade_vertex (vbo_save_api.c:1134)
==296461==    by 0x571050A: fixup_vertex (vbo_save_api.c:1251)
==296461==    by 0x57114D1: _save_Normal3f (vbo_attrib_tmp.h:315)
==296461==    by 0x10B750: ??? (in /usr/bin/glxgears)
==296461==    by 0x10A2CC: ??? (in /usr/bin/glxgears)
==296461==    by 0x4B3F30F: (below main) (in /usr/lib/libc.so.6)
==296461==  Address 0x11ca23de is 2 bytes before a block of size 1,968 alloc'd
==296461==    at 0x4845899: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==296461==    by 0x570E647: compile_vertex_list (vbo_save_api.c:604)
==296461==    by 0x570FEFB: wrap_buffers (vbo_save_api.c:1021)
==296461==    by 0x571050A: upgrade_vertex (vbo_save_api.c:1134)
==296461==    by 0x571050A: fixup_vertex (vbo_save_api.c:1251)
==296461==    by 0x57114D1: _save_Normal3f (vbo_attrib_tmp.h:315)
==296461==    by 0x10B750: ??? (in /usr/bin/glxgears)
==296461==    by 0x10A2CC: ??? (in /usr/bin/glxgears)
==296461==    by 0x4B3F30F: (below main) (in /usr/lib/libc.so.6)
---8<---

Fixes: dcbf2423d28 ("vbo/dlist: add vertices to incomplete primitives")
Reviewed-by: Marek Olšák <marek.ol...@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/15633>
(cherry picked from commit 83ed40cdcd54996b12eb78824f469ae8e44eb6fe)

---

 src/mesa/vbo/vbo_save_api.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/mesa/vbo/vbo_save_api.c b/src/mesa/vbo/vbo_save_api.c
index 258359a4de7..29c9c629fb5 100644
--- a/src/mesa/vbo/vbo_save_api.c
+++ b/src/mesa/vbo/vbo_save_api.c
@@ -727,12 +727,14 @@ compile_vertex_list(struct gl_context *ctx)
       }
 
       /* Duplicate the last vertex for incomplete primitives */
-      unsigned min_vert = u_prim_vertex_count(mode)->min;
-      for (unsigned j = vertex_count; j < min_vert; j++) {
-         indices[idx++] = add_vertex(save, vertex_to_index,
-                                     converted_prim ? CAST_INDEX(tmp_indices, 
index_size, vertex_count - 1) :
-                                                      original_prims[i].start 
+ vertex_count - 1,
-                                     temp_vertices_buffer, &max_index);
+      if (vertex_count > 0) {
+         unsigned min_vert = u_prim_vertex_count(mode)->min;
+         for (unsigned j = vertex_count; j < min_vert; j++) {
+            indices[idx++] = add_vertex(save, vertex_to_index,
+                                       converted_prim ? 
CAST_INDEX(tmp_indices, index_size, vertex_count - 1) :
+                                                         
original_prims[i].start + vertex_count - 1,
+                                       temp_vertices_buffer, &max_index);
+         }
       }
 
 #undef CAST_INDEX

Reply via email to