Untested, but looks good. This should go on the 7.6 branch.
-Brian
Nicolai Hähnle wrote:
> glUniformMatrix() with too large count parameter could previously lead to
> memory corruption.
>
> Signed-off-by: Nicolai Hähnle <nhaeh...@gmail.com>
> ---
> src/mesa/shader/shader_api.c | 29 +++++++++++++++++++++--------
> 1 files changed, 21 insertions(+), 8 deletions(-)
>
> diff --git a/src/mesa/shader/shader_api.c b/src/mesa/shader/shader_api.c
> index 6b19b4c..fbd995e 100644
> --- a/src/mesa/shader/shader_api.c
> +++ b/src/mesa/shader/shader_api.c
> @@ -1707,7 +1707,7 @@ set_program_uniform(GLcontext *ctx, struct gl_program
> *program,
> }
> else {
> /* non-array: count must be one */
> - if (count != 1) {
> + if (count > 1) {
> _mesa_error(ctx, GL_INVALID_OPERATION,
> "glUniform(uniform is not an array)");
> return;
> @@ -1884,20 +1884,27 @@ set_program_uniform_matrix(GLcontext *ctx, struct
> gl_program *program,
> GLboolean transpose, const GLfloat *values)
> {
> GLuint mat, row, col;
> - GLuint dst = index + offset, src = 0;
> + GLuint src = 0;
> + const struct gl_program_parameter * param = &program->Parameters-
>> Parameters[index];
> + const GLint slots = (param->Size + 3) / 4;
> + const GLint typeSize = sizeof_glsl_type(param->DataType);
> GLint nr, nc;
>
> /* check that the number of rows, columns is correct */
> - get_matrix_dims(program->Parameters->Parameters[index].DataType, &nr,
> &nc);
> + get_matrix_dims(param->DataType, &nr, &nc);
> if (rows != nr || cols != nc) {
> _mesa_error(ctx, GL_INVALID_OPERATION,
> "glUniformMatrix(matrix size mismatch)");
> return;
> }
>
> - if (index + offset > program->Parameters->Size) {
> - /* out of bounds! */
> - return;
> + if (param->Size <= typeSize) {
> + /* non-array: count must be one */
> + if (count > 1) {
> + _mesa_error(ctx, GL_INVALID_OPERATION,
> + "glUniformMatrix(uniform is not an array)");
> + return;
> + }
> }
>
> /*
> @@ -1911,7 +1918,12 @@ set_program_uniform_matrix(GLcontext *ctx, struct
> gl_program *program,
>
> /* each matrix: */
> for (col = 0; col < cols; col++) {
> - GLfloat *v = program->Parameters->ParameterValues[dst];
> + GLfloat *v;
> + if (offset >= slots) {
> + /* Ignore writes beyond the end of (the used part of) an array */
> + return;
> + }
> + v = program->Parameters->ParameterValues[index + offset];
> for (row = 0; row < rows; row++) {
> if (transpose) {
> v[row] = values[src + row * cols + col];
> @@ -1920,7 +1932,8 @@ set_program_uniform_matrix(GLcontext *ctx, struct
> gl_program *program,
> v[row] = values[src + col * rows + row];
> }
> }
> - dst++;
> +
> + offset++;
> }
>
> src += rows * cols; /* next matrix */
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Mesa3d-dev mailing list
Mesa3d-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mesa3d-dev
