summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZack Middleton <zturtleman@gmail.com>2015-10-16 20:12:51 -0500
committerTim Angus <tim@ngus.net>2016-04-07 11:12:56 +0100
commit0972dc8edfdadae375ab0a517e324178f8ec99f0 (patch)
treed05a185b2aa56d25a61a5cb3a2e4ec93c0a7e435
parent27b955ed8aae71e0a4a15d75e1c06ffa6516fbe5 (diff)
Fix crash from reading past end of tr.refdef.drawSurfs
The number of draw surfaces was range checked against number of surfaces for the current view but needs to check total for the frame otherwise can read past the end of the tr.refdef.drawSurfs array when there are multiple views.
-rw-r--r--src/renderergl1/tr_main.c18
-rw-r--r--src/renderergl2/tr_main.c18
2 files changed, 20 insertions, 16 deletions
diff --git a/src/renderergl1/tr_main.c b/src/renderergl1/tr_main.c
index b216d38f..7df28230 100644
--- a/src/renderergl1/tr_main.c
+++ b/src/renderergl1/tr_main.c
@@ -1147,13 +1147,6 @@ void R_SortDrawSurfs( drawSurf_t *drawSurfs, int numDrawSurfs ) {
return;
}
- // if we overflowed MAX_DRAWSURFS, the drawsurfs
- // wrapped around in the buffer and we will be missing
- // the first surfaces, not the last ones
- if ( numDrawSurfs > MAX_DRAWSURFS ) {
- numDrawSurfs = MAX_DRAWSURFS;
- }
-
// sort the drawsurfs by sort type, then orientation, then shader
R_RadixSort( drawSurfs, numDrawSurfs );
@@ -1362,6 +1355,7 @@ or a mirror / remote location
*/
void R_RenderView (viewParms_t *parms) {
int firstDrawSurf;
+ int numDrawSurfs;
if ( parms->viewportWidth <= 0 || parms->viewportHeight <= 0 ) {
return;
@@ -1384,7 +1378,15 @@ void R_RenderView (viewParms_t *parms) {
R_GenerateDrawSurfs();
- R_SortDrawSurfs( tr.refdef.drawSurfs + firstDrawSurf, tr.refdef.numDrawSurfs - firstDrawSurf );
+ // if we overflowed MAX_DRAWSURFS, the drawsurfs
+ // wrapped around in the buffer and we will be missing
+ // the first surfaces, not the last ones
+ numDrawSurfs = tr.refdef.numDrawSurfs;
+ if ( numDrawSurfs > MAX_DRAWSURFS ) {
+ numDrawSurfs = MAX_DRAWSURFS;
+ }
+
+ R_SortDrawSurfs( tr.refdef.drawSurfs + firstDrawSurf, numDrawSurfs - firstDrawSurf );
// draw main system development information (surface outlines, etc)
R_DebugGraphics();
diff --git a/src/renderergl2/tr_main.c b/src/renderergl2/tr_main.c
index 287f95d3..2682d471 100644
--- a/src/renderergl2/tr_main.c
+++ b/src/renderergl2/tr_main.c
@@ -1821,13 +1821,6 @@ void R_SortDrawSurfs( drawSurf_t *drawSurfs, int numDrawSurfs ) {
return;
}
- // if we overflowed MAX_DRAWSURFS, the drawsurfs
- // wrapped around in the buffer and we will be missing
- // the first surfaces, not the last ones
- if ( numDrawSurfs > MAX_DRAWSURFS ) {
- numDrawSurfs = MAX_DRAWSURFS;
- }
-
// sort the drawsurfs by sort type, then orientation, then shader
R_RadixSort( drawSurfs, numDrawSurfs );
@@ -2054,6 +2047,7 @@ or a mirror / remote location
*/
void R_RenderView (viewParms_t *parms) {
int firstDrawSurf;
+ int numDrawSurfs;
if ( parms->viewportWidth <= 0 || parms->viewportHeight <= 0 ) {
return;
@@ -2076,7 +2070,15 @@ void R_RenderView (viewParms_t *parms) {
R_GenerateDrawSurfs();
- R_SortDrawSurfs( tr.refdef.drawSurfs + firstDrawSurf, tr.refdef.numDrawSurfs - firstDrawSurf );
+ // if we overflowed MAX_DRAWSURFS, the drawsurfs
+ // wrapped around in the buffer and we will be missing
+ // the first surfaces, not the last ones
+ numDrawSurfs = tr.refdef.numDrawSurfs;
+ if ( numDrawSurfs > MAX_DRAWSURFS ) {
+ numDrawSurfs = MAX_DRAWSURFS;
+ }
+
+ R_SortDrawSurfs( tr.refdef.drawSurfs + firstDrawSurf, numDrawSurfs - firstDrawSurf );
// draw main system development information (surface outlines, etc)
R_DebugGraphics();