Bug 53426 - out-of-bounds access src/mesa/main/fbobject:222
Summary: out-of-bounds access src/mesa/main/fbobject:222
Status: ASSIGNED
Alias: None
Product: Mesa
Classification: Unclassified
Component: Other (show other bugs)
Version: git
Hardware: All All
: medium normal
Assignee: Vinson Lee
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-13 01:01 UTC by Vinson Lee
Modified: 2018-03-07 23:00 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vinson Lee 2012-08-13 01:01:16 UTC
Reported by Coverity.

 188struct gl_renderbuffer_attachment *
 189_mesa_get_attachment(struct gl_context *ctx, struct gl_framebuffer *fb,
 190                     GLenum attachment)
 191{
 192   GLuint i;
 193
At (1): Condition "_mesa_is_user_fbo(fb)", taking true branch
 194   assert(_mesa_is_user_fbo(fb));
 195
At (2): Switch case value "36073U"
 196   switch (attachment) {
 197   case GL_COLOR_ATTACHMENT0_EXT:
 198   case GL_COLOR_ATTACHMENT1_EXT:
 199   case GL_COLOR_ATTACHMENT2_EXT:
 200   case GL_COLOR_ATTACHMENT3_EXT:
 201   case GL_COLOR_ATTACHMENT4_EXT:
 202   case GL_COLOR_ATTACHMENT5_EXT:
 203   case GL_COLOR_ATTACHMENT6_EXT:
 204   case GL_COLOR_ATTACHMENT7_EXT:
 205   case GL_COLOR_ATTACHMENT8_EXT:
 206   case GL_COLOR_ATTACHMENT9_EXT:
 207   case GL_COLOR_ATTACHMENT10_EXT:
 208   case GL_COLOR_ATTACHMENT11_EXT:
 209   case GL_COLOR_ATTACHMENT12_EXT:
 210   case GL_COLOR_ATTACHMENT13_EXT:
 211   case GL_COLOR_ATTACHMENT14_EXT:
 212   case GL_COLOR_ATTACHMENT15_EXT:
 213      /* Only OpenGL ES 1.x forbids color attachments other than
 214       * GL_COLOR_ATTACHMENT0.  For all other APIs the limit set by the
 215       * hardware is used.
 216       */
At (3): Assigning: "i" = "attachment - 36064U".
 217      i = attachment - GL_COLOR_ATTACHMENT0_EXT;
At (4): Condition "i >= ctx->Const.MaxColorAttachments", taking false branch
At (5): Condition "i > 0U", taking true branch
At (6): Condition "ctx->API == 1U", taking false branch
 218      if (i >= ctx->Const.MaxColorAttachments
 219          || (i > 0 && ctx->API == API_OPENGLES)) {
 220         return NULL;
 221      }
CID 714349: Out-of-bounds access (OVERRUN)
At (7): "&fb->Attachment[8U + i]" evaluates to an address that is at byte offset 680 of an array of 640 bytes.
 222      return &fb->Attachment[BUFFER_COLOR0 + i];
 223   case GL_DEPTH_STENCIL_ATTACHMENT:
 224      if (!_mesa_is_desktop_gl(ctx))
 225         return NULL;
 226      /* fall-through */
 227   case GL_DEPTH_ATTACHMENT_EXT:
 228      return &fb->Attachment[BUFFER_DEPTH];
 229   case GL_STENCIL_ATTACHMENT_EXT:
 230      return &fb->Attachment[BUFFER_STENCIL];
 231   default:
 232      return NULL;
 233   }
 234}
Comment 1 Brian Paul 2012-08-16 19:02:18 UTC
This warning is kind of bogus.

Jose suggested adding an assertion like this:

   assert(BUFFER_COLOR0 + ctx->Const.MaxColorAttachments <= Elements(fb->Attachment));
Comment 2 Brian Paul 2012-08-16 23:06:25 UTC
Alternately, can you try this patch, Vinson?

diff --git a/src/mesa/main/fbobject.c b/src/mesa/main/fbobject.c
index 792a92d..03094cc 100644
--- a/src/mesa/main/fbobject.c
+++ b/src/mesa/main/fbobject.c
@@ -215,8 +215,9 @@ _mesa_get_attachment(struct gl_context *ctx, struct gl_frame
        * hardware is used.
        */
       i = attachment - GL_COLOR_ATTACHMENT0_EXT;
-      if (i >= ctx->Const.MaxColorAttachments
-         || (i > 0 && ctx->API == API_OPENGLES)) {
+      if (i >= ctx->Const.MaxColorAttachments ||
+          BUFFER_COLOR0 + i >= Elements(fb->Attachment) ||
+         (i > 0 && ctx->API == API_OPENGLES)) {
         return NULL;
       }
       return &fb->Attachment[BUFFER_COLOR0 + i];


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.