Reported by Coverity. 188struct gl_renderbuffer_attachment * 189_mesa_get_attachment(struct gl_context *ctx, struct gl_framebuffer *fb, 190 GLenum attachment) 191{ 192 GLuint i; 193 At (1): Condition "_mesa_is_user_fbo(fb)", taking true branch 194 assert(_mesa_is_user_fbo(fb)); 195 At (2): Switch case value "36073U" 196 switch (attachment) { 197 case GL_COLOR_ATTACHMENT0_EXT: 198 case GL_COLOR_ATTACHMENT1_EXT: 199 case GL_COLOR_ATTACHMENT2_EXT: 200 case GL_COLOR_ATTACHMENT3_EXT: 201 case GL_COLOR_ATTACHMENT4_EXT: 202 case GL_COLOR_ATTACHMENT5_EXT: 203 case GL_COLOR_ATTACHMENT6_EXT: 204 case GL_COLOR_ATTACHMENT7_EXT: 205 case GL_COLOR_ATTACHMENT8_EXT: 206 case GL_COLOR_ATTACHMENT9_EXT: 207 case GL_COLOR_ATTACHMENT10_EXT: 208 case GL_COLOR_ATTACHMENT11_EXT: 209 case GL_COLOR_ATTACHMENT12_EXT: 210 case GL_COLOR_ATTACHMENT13_EXT: 211 case GL_COLOR_ATTACHMENT14_EXT: 212 case GL_COLOR_ATTACHMENT15_EXT: 213 /* Only OpenGL ES 1.x forbids color attachments other than 214 * GL_COLOR_ATTACHMENT0. For all other APIs the limit set by the 215 * hardware is used. 216 */ At (3): Assigning: "i" = "attachment - 36064U". 217 i = attachment - GL_COLOR_ATTACHMENT0_EXT; At (4): Condition "i >= ctx->Const.MaxColorAttachments", taking false branch At (5): Condition "i > 0U", taking true branch At (6): Condition "ctx->API == 1U", taking false branch 218 if (i >= ctx->Const.MaxColorAttachments 219 || (i > 0 && ctx->API == API_OPENGLES)) { 220 return NULL; 221 } CID 714349: Out-of-bounds access (OVERRUN) At (7): "&fb->Attachment[8U + i]" evaluates to an address that is at byte offset 680 of an array of 640 bytes. 222 return &fb->Attachment[BUFFER_COLOR0 + i]; 223 case GL_DEPTH_STENCIL_ATTACHMENT: 224 if (!_mesa_is_desktop_gl(ctx)) 225 return NULL; 226 /* fall-through */ 227 case GL_DEPTH_ATTACHMENT_EXT: 228 return &fb->Attachment[BUFFER_DEPTH]; 229 case GL_STENCIL_ATTACHMENT_EXT: 230 return &fb->Attachment[BUFFER_STENCIL]; 231 default: 232 return NULL; 233 } 234}
This warning is kind of bogus. Jose suggested adding an assertion like this: assert(BUFFER_COLOR0 + ctx->Const.MaxColorAttachments <= Elements(fb->Attachment));
Alternately, can you try this patch, Vinson? diff --git a/src/mesa/main/fbobject.c b/src/mesa/main/fbobject.c index 792a92d..03094cc 100644 --- a/src/mesa/main/fbobject.c +++ b/src/mesa/main/fbobject.c @@ -215,8 +215,9 @@ _mesa_get_attachment(struct gl_context *ctx, struct gl_frame * hardware is used. */ i = attachment - GL_COLOR_ATTACHMENT0_EXT; - if (i >= ctx->Const.MaxColorAttachments - || (i > 0 && ctx->API == API_OPENGLES)) { + if (i >= ctx->Const.MaxColorAttachments || + BUFFER_COLOR0 + i >= Elements(fb->Attachment) || + (i > 0 && ctx->API == API_OPENGLES)) { return NULL; } return &fb->Attachment[BUFFER_COLOR0 + i];
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/899.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.