Bug 53426 - out-of-bounds access src/mesa/main/fbobject:222
Summary: out-of-bounds access src/mesa/main/fbobject:222
Status: RESOLVED MOVED
Alias: None
Product: Mesa
Classification: Unclassified
Component: Other (show other bugs)
Version: git
Hardware: All All
: medium normal
Assignee: Vinson Lee
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-13 01:01 UTC by Vinson Lee
Modified: 2019-09-18 20:17 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vinson Lee 2012-08-13 01:01:16 UTC
Reported by Coverity.

 188struct gl_renderbuffer_attachment *
 189_mesa_get_attachment(struct gl_context *ctx, struct gl_framebuffer *fb,
 190                     GLenum attachment)
 191{
 192   GLuint i;
 193
At (1): Condition "_mesa_is_user_fbo(fb)", taking true branch
 194   assert(_mesa_is_user_fbo(fb));
 195
At (2): Switch case value "36073U"
 196   switch (attachment) {
 197   case GL_COLOR_ATTACHMENT0_EXT:
 198   case GL_COLOR_ATTACHMENT1_EXT:
 199   case GL_COLOR_ATTACHMENT2_EXT:
 200   case GL_COLOR_ATTACHMENT3_EXT:
 201   case GL_COLOR_ATTACHMENT4_EXT:
 202   case GL_COLOR_ATTACHMENT5_EXT:
 203   case GL_COLOR_ATTACHMENT6_EXT:
 204   case GL_COLOR_ATTACHMENT7_EXT:
 205   case GL_COLOR_ATTACHMENT8_EXT:
 206   case GL_COLOR_ATTACHMENT9_EXT:
 207   case GL_COLOR_ATTACHMENT10_EXT:
 208   case GL_COLOR_ATTACHMENT11_EXT:
 209   case GL_COLOR_ATTACHMENT12_EXT:
 210   case GL_COLOR_ATTACHMENT13_EXT:
 211   case GL_COLOR_ATTACHMENT14_EXT:
 212   case GL_COLOR_ATTACHMENT15_EXT:
 213      /* Only OpenGL ES 1.x forbids color attachments other than
 214       * GL_COLOR_ATTACHMENT0.  For all other APIs the limit set by the
 215       * hardware is used.
 216       */
At (3): Assigning: "i" = "attachment - 36064U".
 217      i = attachment - GL_COLOR_ATTACHMENT0_EXT;
At (4): Condition "i >= ctx->Const.MaxColorAttachments", taking false branch
At (5): Condition "i > 0U", taking true branch
At (6): Condition "ctx->API == 1U", taking false branch
 218      if (i >= ctx->Const.MaxColorAttachments
 219          || (i > 0 && ctx->API == API_OPENGLES)) {
 220         return NULL;
 221      }
CID 714349: Out-of-bounds access (OVERRUN)
At (7): "&fb->Attachment[8U + i]" evaluates to an address that is at byte offset 680 of an array of 640 bytes.
 222      return &fb->Attachment[BUFFER_COLOR0 + i];
 223   case GL_DEPTH_STENCIL_ATTACHMENT:
 224      if (!_mesa_is_desktop_gl(ctx))
 225         return NULL;
 226      /* fall-through */
 227   case GL_DEPTH_ATTACHMENT_EXT:
 228      return &fb->Attachment[BUFFER_DEPTH];
 229   case GL_STENCIL_ATTACHMENT_EXT:
 230      return &fb->Attachment[BUFFER_STENCIL];
 231   default:
 232      return NULL;
 233   }
 234}
Comment 1 Brian Paul 2012-08-16 19:02:18 UTC
This warning is kind of bogus.

Jose suggested adding an assertion like this:

   assert(BUFFER_COLOR0 + ctx->Const.MaxColorAttachments <= Elements(fb->Attachment));
Comment 2 Brian Paul 2012-08-16 23:06:25 UTC
Alternately, can you try this patch, Vinson?

diff --git a/src/mesa/main/fbobject.c b/src/mesa/main/fbobject.c
index 792a92d..03094cc 100644
--- a/src/mesa/main/fbobject.c
+++ b/src/mesa/main/fbobject.c
@@ -215,8 +215,9 @@ _mesa_get_attachment(struct gl_context *ctx, struct gl_frame
        * hardware is used.
        */
       i = attachment - GL_COLOR_ATTACHMENT0_EXT;
-      if (i >= ctx->Const.MaxColorAttachments
-         || (i > 0 && ctx->API == API_OPENGLES)) {
+      if (i >= ctx->Const.MaxColorAttachments ||
+          BUFFER_COLOR0 + i >= Elements(fb->Attachment) ||
+         (i > 0 && ctx->API == API_OPENGLES)) {
         return NULL;
       }
       return &fb->Attachment[BUFFER_COLOR0 + i];
Comment 3 GitLab Migration User 2019-09-18 20:17:03 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/899.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.