From: Zack Rusin <zackr@vmware.com>
Date: Tue, 25 Jun 2013 17:54:47 +0000 (-0400)
Subject: draw: account for elem size when computing overflow
X-Git-Tag: mesa-9.2.1~469
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e742f7788ea6f2c1a4e1071a2d53eef5939e501b;p=platform%2Fupstream%2Fmesa.git

draw: account for elem size when computing overflow

We weren't taking into account the size of element
that is to be fetched, which meant that it was possible
to overflow the buffer reads if the stride was very
close to the end of the buffer, e.g. stride = 3, buffer
size = 4, and the element to be read = 4. This should
be properly detected as an overflow.

Signed-off-by: Zack Rusin <zackr@vmware.com>
---

diff --git a/src/gallium/auxiliary/draw/draw_llvm.c b/src/gallium/auxiliary/draw/draw_llvm.c
index 5373d1a..f27776a 100644
--- a/src/gallium/auxiliary/draw/draw_llvm.c
+++ b/src/gallium/auxiliary/draw/draw_llvm.c
@@ -695,6 +695,7 @@ generate_fetch(struct gallivm_state *gallivm,
    LLVMValueRef buffer_size = draw_jit_dvbuffer_size(gallivm, vbuffer_ptr);
    LLVMValueRef stride;
    LLVMValueRef buffer_overflowed;
+   LLVMValueRef needed_buffer_size;
    LLVMValueRef temp_ptr =
       lp_build_alloca(gallivm,
                       lp_build_vec_type(gallivm, lp_float32_vec4_type()), "");
@@ -715,15 +716,30 @@ generate_fetch(struct gallivm_state *gallivm,
    stride = LLVMBuildAdd(builder, stride,
                          lp_build_const_int32(gallivm, velem->src_offset),
                          "");
-
-   buffer_overflowed = LLVMBuildICmp(builder, LLVMIntUGE,
-                                     stride, buffer_size,
+   needed_buffer_size = LLVMBuildAdd(
+      builder, stride,
+      lp_build_const_int32(gallivm,
+                           util_format_get_blocksize(velem->src_format)),
+      "");
+
+   buffer_overflowed = LLVMBuildICmp(builder, LLVMIntUGT,
+                                     needed_buffer_size, buffer_size,
                                      "buffer_overflowed");
-   /*
-   lp_build_printf(gallivm, "vbuf index = %u, stride is %u\n", index, stride);
-   lp_build_print_value(gallivm, "   buffer size = ", buffer_size);
+#if 0
+   lp_build_printf(gallivm, "vbuf index = %u, vb_stride is %u\n",
+                   index, vb_stride);
+   lp_build_printf(gallivm, "   vb_buffer_offset = %u, src_offset is %u\n",
+                   vb_buffer_offset,
+                   lp_build_const_int32(gallivm, velem->src_offset));
+   lp_build_print_value(gallivm, "   blocksize = ",
+                        lp_build_const_int32(
+                           gallivm,
+                           util_format_get_blocksize(velem->src_format)));
+   lp_build_printf(gallivm, "   stride = %u\n", stride);
+   lp_build_printf(gallivm, "   buffer size = %u\n", buffer_size);
+   lp_build_printf(gallivm, "   needed_buffer_size = %u\n", needed_buffer_size);
    lp_build_print_value(gallivm, "   buffer overflowed = ", buffer_overflowed);
-   */
+#endif
 
    lp_build_if(&if_ctx, gallivm, buffer_overflowed);
    {