Module: Mesa
Branch: staging/22.0
Commit: 8c725abfa3cf4c27c68fc4a7d997f2caa0ae5db1
URL:
http://cgit.freedesktop.org/mesa/mesa/commit/?id=8c725abfa3cf4c27c68fc4a7d997f2caa0ae5db1
Author: Erik Faye-Lund <kusmab...@gmail.com>
Date: Tue Mar 29 12:38:46 2022 +0200
vbo/dlist: do not try to pad an empty draw
In the case where u_index_generator returns zero new vertices, we never
filled tmp_indices before trying to duplicate the last veretx. This
causes us to read unitialized memory.
This fixes a Valgrind issue triggering in glxgears on Zink:
---8<---
==296461== Invalid read of size 2
==296461== at 0x570F335: compile_vertex_list (vbo_save_api.c:733)
==296461== by 0x570FEFB: wrap_buffers (vbo_save_api.c:1021)
==296461== by 0x571050A: upgrade_vertex (vbo_save_api.c:1134)
==296461== by 0x571050A: fixup_vertex (vbo_save_api.c:1251)
==296461== by 0x57114D1: _save_Normal3f (vbo_attrib_tmp.h:315)
==296461== by 0x10B750: ??? (in /usr/bin/glxgears)
==296461== by 0x10A2CC: ??? (in /usr/bin/glxgears)
==296461== by 0x4B3F30F: (below main) (in /usr/lib/libc.so.6)
==296461== Address 0x11ca23de is 2 bytes before a block of size 1,968 alloc'd
==296461== at 0x4845899: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==296461== by 0x570E647: compile_vertex_list (vbo_save_api.c:604)
==296461== by 0x570FEFB: wrap_buffers (vbo_save_api.c:1021)
==296461== by 0x571050A: upgrade_vertex (vbo_save_api.c:1134)
==296461== by 0x571050A: fixup_vertex (vbo_save_api.c:1251)
==296461== by 0x57114D1: _save_Normal3f (vbo_attrib_tmp.h:315)
==296461== by 0x10B750: ??? (in /usr/bin/glxgears)
==296461== by 0x10A2CC: ??? (in /usr/bin/glxgears)
==296461== by 0x4B3F30F: (below main) (in /usr/lib/libc.so.6)
---8<---
Fixes: dcbf2423d28 ("vbo/dlist: add vertices to incomplete primitives")
Reviewed-by: Marek Olšák <marek.ol...@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/15633>
(cherry picked from commit 83ed40cdcd54996b12eb78824f469ae8e44eb6fe)
---
.pick_status.json | 2 +-
src/mesa/vbo/vbo_save_api.c | 14 ++++++++------
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/.pick_status.json b/.pick_status.json
index 6639db3568e..5462f46550d 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -6588,7 +6588,7 @@
"description": "vbo/dlist: do not try to pad an empty draw",
"nominated": true,
"nomination_type": 1,
- "resolution": 5,
+ "resolution": 1,
"because_sha": "dcbf2423d284b7bf2d0dc3e622c73de00c7d5bf4"
},
{
diff --git a/src/mesa/vbo/vbo_save_api.c b/src/mesa/vbo/vbo_save_api.c
index 258359a4de7..29c9c629fb5 100644
--- a/src/mesa/vbo/vbo_save_api.c
+++ b/src/mesa/vbo/vbo_save_api.c
@@ -727,12 +727,14 @@ compile_vertex_list(struct gl_context *ctx)
}
/* Duplicate the last vertex for incomplete primitives */
- unsigned min_vert = u_prim_vertex_count(mode)->min;
- for (unsigned j = vertex_count; j < min_vert; j++) {
- indices[idx++] = add_vertex(save, vertex_to_index,
- converted_prim ? CAST_INDEX(tmp_indices,
index_size, vertex_count - 1) :
- original_prims[i].start
+ vertex_count - 1,
- temp_vertices_buffer, &max_index);
+ if (vertex_count > 0) {
+ unsigned min_vert = u_prim_vertex_count(mode)->min;
+ for (unsigned j = vertex_count; j < min_vert; j++) {
+ indices[idx++] = add_vertex(save, vertex_to_index,
+ converted_prim ?
CAST_INDEX(tmp_indices, index_size, vertex_count - 1) :
+
original_prims[i].start + vertex_count - 1,
+ temp_vertices_buffer, &max_index);
+ }
}
#undef CAST_INDEX
