-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nicolai Hähnle wrote:
> glUniformMatrix() with too large count parameter could previously lead to
> memory corruption.
Is there a piglit test for this? I imagine calling it with count ==
INT_MAX should crash fairly reliably. :)
> Signed-off-by: Nicolai Hähnle <nhaeh...@gmail.com>
Reviewed-by: Ian Romanick <ian.d.roman...@intel.com>
> ---
> src/mesa/shader/shader_api.c | 29 +++++++++++++++++++++--------
> 1 files changed, 21 insertions(+), 8 deletions(-)
>
> diff --git a/src/mesa/shader/shader_api.c b/src/mesa/shader/shader_api.c
> index 6b19b4c..fbd995e 100644
> --- a/src/mesa/shader/shader_api.c
> +++ b/src/mesa/shader/shader_api.c
> @@ -1707,7 +1707,7 @@ set_program_uniform(GLcontext *ctx, struct gl_program
> *program,
> }
> else {
> /* non-array: count must be one */
> - if (count != 1) {
> + if (count > 1) {
> _mesa_error(ctx, GL_INVALID_OPERATION,
> "glUniform(uniform is not an array)");
> return;
I'd update the comment here too. I had to look at the code to verify
that count == 0 was handled correctly.
> @@ -1884,20 +1884,27 @@ set_program_uniform_matrix(GLcontext *ctx, struct
> gl_program *program,
> GLboolean transpose, const GLfloat *values)
> {
> GLuint mat, row, col;
> - GLuint dst = index + offset, src = 0;
> + GLuint src = 0;
> + const struct gl_program_parameter * param = &program->Parameters-
>> Parameters[index];
> + const GLint slots = (param->Size + 3) / 4;
> + const GLint typeSize = sizeof_glsl_type(param->DataType);
> GLint nr, nc;
>
> /* check that the number of rows, columns is correct */
> - get_matrix_dims(program->Parameters->Parameters[index].DataType, &nr,
> &nc);
> + get_matrix_dims(param->DataType, &nr, &nc);
> if (rows != nr || cols != nc) {
> _mesa_error(ctx, GL_INVALID_OPERATION,
> "glUniformMatrix(matrix size mismatch)");
> return;
> }
>
> - if (index + offset > program->Parameters->Size) {
> - /* out of bounds! */
> - return;
> + if (param->Size <= typeSize) {
> + /* non-array: count must be one */
> + if (count > 1) {
> + _mesa_error(ctx, GL_INVALID_OPERATION,
> + "glUniformMatrix(uniform is not an array)");
> + return;
> + }
> }
>
> /*
> @@ -1911,7 +1918,12 @@ set_program_uniform_matrix(GLcontext *ctx, struct
> gl_program *program,
>
> /* each matrix: */
> for (col = 0; col < cols; col++) {
> - GLfloat *v = program->Parameters->ParameterValues[dst];
> + GLfloat *v;
> + if (offset >= slots) {
> + /* Ignore writes beyond the end of (the used part of) an array */
> + return;
> + }
> + v = program->Parameters->ParameterValues[index + offset];
> for (row = 0; row < rows; row++) {
> if (transpose) {
> v[row] = values[src + row * cols + col];
> @@ -1920,7 +1932,8 @@ set_program_uniform_matrix(GLcontext *ctx, struct
> gl_program *program,
> v[row] = values[src + col * rows + row];
> }
> }
> - dst++;
> +
> + offset++;
> }
>
> src += rows * cols; /* next matrix */
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrLjGsACgkQX1gOwKyEAw8sRwCfQ5U12Nv+RD3xnGyw2ZczNVji
9zEAnjyzCl3wuUbPUzQZHwMK4TOhy6v3
=7KI0
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Mesa3d-dev mailing list
Mesa3d-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mesa3d-dev
