lavapipe: Prevent integer overflow adding index buffer offset and start index. (!19683) · Merge requests · Mesa / mesa

Jose Fonseca requested to merge jrfonseca/mesa:llvmpipe-draw-ib-oob into main Nov 11, 2022

Direct3D and Vulkan's robustBufferAccess2 feature mandate that index buffer out-of-bounds reads should return a zero index (ie, vertex at index zero, not to be confused with a vertex with zero attributes, as the kind resulting in vertex buffer out-of-bounds read.)

lavapipe was adding index_offset and start index together without overflow checks, and if start index was sufficient large (as is the case with WHCK wgf11draw which sets start index to (UINT)-5) it would cause to wrap around causing fetches that should be out of bounds wrap around and fetch inside bounds.

This change fixes this by doing a clamped add. This ensures start index is set to UINT32_MAX on overflow, which is sufficient in practice to trigger draw index OOB code-paths, yield zero index to be returned.

This MR also fixes compiler warnings when shader cache disabled.

/cc @brianp, @sroland, @zmike

lavapipe: Prevent integer overflow adding index buffer offset and start index.

Merge request reports