From 53d36d5fb09cda39c8d3646cbccbd343b34bfb54 Mon Sep 17 00:00:00 2001 From: Zack Rusin Date: Tue, 23 Apr 2013 18:56:47 -0400 Subject: [PATCH] draw/so: Fix overflow calculations MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit We weren't taking the buffer offset, destination offset or the stride into consideration so we were frequently writing into an overflown buffer. Signed-off-by: Zack Rusin Reviewed-by: José Fonseca Reviewed-by: Roland Scheidegger --- src/gallium/auxiliary/draw/draw_pt_so_emit.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/gallium/auxiliary/draw/draw_pt_so_emit.c b/src/gallium/auxiliary/draw/draw_pt_so_emit.c index fc69017..cdfd13c 100644 --- a/src/gallium/auxiliary/draw/draw_pt_so_emit.c +++ b/src/gallium/auxiliary/draw/draw_pt_so_emit.c @@ -129,20 +129,25 @@ static void so_emit_prim(struct pt_so_emit *so, for (i = 0; i < draw->so.num_targets; i++) { struct draw_so_target *target = draw->so.targets[i]; - buffer_total_bytes[i] = target->internal_offset; + buffer_total_bytes[i] = target->internal_offset + target->target.buffer_offset; } /* check have we space to emit prim first - if not don't do anything */ for (i = 0; i < num_vertices; ++i) { + unsigned ob; for (slot = 0; slot < state->num_outputs; ++slot) { unsigned num_comps = state->output[slot].num_components; int ob = state->output[slot].output_buffer; + unsigned dst_offset = state->output[slot].dst_offset * sizeof(float); + unsigned write_size = num_comps * sizeof(float); - if ((buffer_total_bytes[ob] + num_comps * sizeof(float)) > + if ((buffer_total_bytes[ob] + write_size + dst_offset) > draw->so.targets[ob]->target.buffer_size) { return; } - buffer_total_bytes[ob] += num_comps * sizeof(float); + } + for (ob = 0; ob < draw->so.num_targets; ++ob) { + buffer_total_bytes[ob] += state->stride[ob] * sizeof(float); } } -- 2.7.4