Mesa (master): draw: Prevent clipped vertices overflow.

[Jose Fonseca]

Module: Mesa
Branch: master
Commit: 440129521c36bc2c2e59c462a94394b2f42a847e
URL:    
http://cgit.freedesktop.org/mesa/mesa/commit/?id=440129521c36bc2c2e59c462a94394b2f42a847e

Author: José Fonseca <jfons...@vmware.com>
Date:   Thu Aug 26 15:30:51 2010 +0100

draw: Prevent clipped vertices overflow.

Some pathological triangles cause a theoritically impossible number of
clipped vertices.

The clipper will still assert, but at least release builds will not
crash, while this problem is further investigated.

---

 src/gallium/auxiliary/draw/draw_pipe_clip.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)

diff --git a/src/gallium/auxiliary/draw/draw_pipe_clip.c 
b/src/gallium/auxiliary/draw/draw_pipe_clip.c
index 50acc6c..a10d8e9 100644
--- a/src/gallium/auxiliary/draw/draw_pipe_clip.c
+++ b/src/gallium/auxiliary/draw/draw_pipe_clip.c
@@ -263,6 +263,8 @@ do_clip_tri( struct draw_stage *stage,
       clipmask &= ~(1<<plane_idx);
 
       assert(n < MAX_CLIPPED_VERTICES);
+      if (n >= MAX_CLIPPED_VERTICES)
+         return;
       inlist[n] = inlist[0]; /* prevent rotation of vertices */
 
       for (i = 1; i <= n; i++) {
@@ -272,16 +274,22 @@ do_clip_tri( struct draw_stage *stage,
 
         if (!IS_NEGATIVE(dp_prev)) {
             assert(outcount < MAX_CLIPPED_VERTICES);
+            if (outcount >= MAX_CLIPPED_VERTICES)
+               return;
            outlist[outcount++] = vert_prev;
         }
 
         if (DIFFERENT_SIGNS(dp, dp_prev)) {
            struct vertex_header *new_vert;
 
-            assert(tmpnr < MAX_CLIPPED_VERTICES+1);
+            assert(tmpnr < MAX_CLIPPED_VERTICES + 1);
+            if (tmpnr >= MAX_CLIPPED_VERTICES + 1)
+               return;
             new_vert = clipper->stage.tmp[tmpnr++];
 
             assert(outcount < MAX_CLIPPED_VERTICES);
+            if (outcount >= MAX_CLIPPED_VERTICES)
+               return;
            outlist[outcount++] = new_vert;
 
            if (IS_NEGATIVE(dp)) {
@@ -326,6 +334,8 @@ do_clip_tri( struct draw_stage *stage,
          if (stage->draw->rasterizer->flatshade_first) {
             if (inlist[0] != header->v[0]) {
                assert(tmpnr < MAX_CLIPPED_VERTICES + 1);
+               if (tmpnr >= MAX_CLIPPED_VERTICES + 1)
+                  return;
                inlist[0] = dup_vert(stage, inlist[0], tmpnr++);
                copy_colors(stage, inlist[0], header->v[0]);
             }
@@ -333,6 +343,8 @@ do_clip_tri( struct draw_stage *stage,
          else {
             if (inlist[0] != header->v[2]) {
                assert(tmpnr < MAX_CLIPPED_VERTICES + 1);
+               if (tmpnr >= MAX_CLIPPED_VERTICES + 1)
+                  return;
                inlist[0] = dup_vert(stage, inlist[0], tmpnr++);
                copy_colors(stage, inlist[0], header->v[2]);
             }

_______________________________________________
mesa-commit mailing list
mesa-commit@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-commit