Fixes out of bounds access introduced by commit 61e02c5e4f20de6c82342a2ffaa001150bd7c56f and RiME crash on start.
Signed-off-by: Paul Gofman pgofman@codeweavers.com --- v2: - sanitize wined3d_bind_layer_count() parameters.
dlls/wined3d/wined3d_private.h | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/dlls/wined3d/wined3d_private.h b/dlls/wined3d/wined3d_private.h index 93e5b50a9c8..ec4016b74dc 100644 --- a/dlls/wined3d/wined3d_private.h +++ b/dlls/wined3d/wined3d_private.h @@ -6038,6 +6038,11 @@ static inline BOOL wined3d_dsv_srv_conflict(const struct wined3d_rendertarget_vi || (srv_format->green_size && !(dsv->desc.flags & WINED3D_VIEW_READ_ONLY_STENCIL)); }
+static inline unsigned int wined3d_bind_layer_count(const struct wined3d_texture *texture) +{ + return texture->resource.type == WINED3D_RTYPE_TEXTURE_3D ? texture->resource.depth : texture->layer_count; +} + static inline bool wined3d_srv_all_subresources(const struct wined3d_shader_resource_view *srv) { struct wined3d_texture *texture; @@ -6050,7 +6055,7 @@ static inline bool wined3d_srv_all_subresources(const struct wined3d_shader_reso
texture = texture_from_resource(srv->resource); return srv->desc.u.texture.level_count == texture->level_count - && srv->desc.u.texture.layer_count == texture->layer_count; + && srv->desc.u.texture.layer_count == wined3d_bind_layer_count(texture); }
static inline bool wined3d_rtv_all_subresources(const struct wined3d_rendertarget_view *rtv) @@ -6064,7 +6069,7 @@ static inline bool wined3d_rtv_all_subresources(const struct wined3d_rendertarge return FALSE;
texture = texture_from_resource(rtv->resource); - return texture->level_count == 1 && rtv->layer_count == texture->layer_count; + return texture->level_count == 1 && rtv->layer_count == wined3d_bind_layer_count(texture); }
static inline void wined3d_srv_bind_count_inc(struct wined3d_shader_resource_view *srv) @@ -6082,7 +6087,7 @@ static inline void wined3d_srv_bind_count_inc(struct wined3d_shader_resource_vie
if (!resource->sub_resource_bind_counts_device && !(resource->sub_resource_bind_counts_device = heap_alloc_zero(texture->level_count - * texture->layer_count * sizeof(*resource->sub_resource_bind_counts_device)))) + * wined3d_bind_layer_count(texture) * sizeof(*resource->sub_resource_bind_counts_device)))) return;
for (layer = 0; layer < srv->desc.u.texture.layer_count; ++layer) @@ -6131,7 +6136,7 @@ static inline void wined3d_rtv_bind_count_inc(struct wined3d_rendertarget_view *
if (!resource->sub_resource_bind_counts_device && !(resource->sub_resource_bind_counts_device = heap_alloc_zero(texture->level_count - * texture->layer_count * sizeof(*resource->sub_resource_bind_counts_device)))) + * wined3d_bind_layer_count(texture) * sizeof(*resource->sub_resource_bind_counts_device)))) return;
for (layer = 0; layer < rtv->layer_count; ++layer)
Signed-off-by: Paul Gofman pgofman@codeweavers.com --- v2: - no changes.
dlls/wined3d/context.c | 4 +- dlls/wined3d/wined3d_private.h | 99 ++++++++++++++-------------------- 2 files changed, 41 insertions(+), 62 deletions(-)
diff --git a/dlls/wined3d/context.c b/dlls/wined3d/context.c index 08c6e27922c..ee2659ce23a 100644 --- a/dlls/wined3d/context.c +++ b/dlls/wined3d/context.c @@ -347,8 +347,8 @@ static void context_preload_texture(struct wined3d_context *context, if (!(texture = state->textures[idx])) return;
- if (texture->resource.rtv_bind_count_device || (state->fb.depth_stencil - && state->fb.depth_stencil->resource == &texture->resource)) + if ((texture->resource.rtv_full_bind_count_device + texture->resource.rtv_partial_bind_count_device) + || (state->fb.depth_stencil && state->fb.depth_stencil->resource == &texture->resource)) context->uses_fbo_attached_resources = 1;
wined3d_texture_load(texture, context, is_srgb_enabled(state->sampler_states[idx])); diff --git a/dlls/wined3d/wined3d_private.h b/dlls/wined3d/wined3d_private.h index ec4016b74dc..c7f939f436f 100644 --- a/dlls/wined3d/wined3d_private.h +++ b/dlls/wined3d/wined3d_private.h @@ -3977,15 +3977,10 @@ struct wined3d_resource_ops HRESULT (*resource_sub_resource_unmap)(struct wined3d_resource *resource, unsigned int sub_resource_idx); };
-#define WINED3D_SUB_RESOURCES_BIND_SRV 1 -#define WINED3D_SUB_RESOURCES_BIND_RTV 2 - struct wined3d_resource { LONG ref; LONG bind_count; - uint32_t srv_bind_count_device; - uint32_t rtv_bind_count_device; LONG map_count; LONG access_count; struct wined3d_device *device; @@ -4019,7 +4014,10 @@ struct wined3d_resource uint32_t rtv; } *sub_resource_bind_counts_device; - uint32_t sub_resource_bind_flags; + uint32_t srv_full_bind_count_device; + uint32_t rtv_full_bind_count_device; + uint32_t srv_partial_bind_count_device; + uint32_t rtv_partial_bind_count_device; };
static inline ULONG wined3d_resource_incref(struct wined3d_resource *resource) @@ -6072,16 +6070,19 @@ static inline bool wined3d_rtv_all_subresources(const struct wined3d_rendertarge return texture->level_count == 1 && rtv->layer_count == wined3d_bind_layer_count(texture); }
-static inline void wined3d_srv_bind_count_inc(struct wined3d_shader_resource_view *srv) +static inline void wined3d_srv_bind_count_add(struct wined3d_shader_resource_view *srv, int value) { struct wined3d_resource *resource = srv->resource; struct wined3d_texture *texture; unsigned int level, layer;
- ++resource->srv_bind_count_device; - if (wined3d_srv_all_subresources(srv)) + { + resource->srv_full_bind_count_device += value; return; + } + + resource->srv_partial_bind_count_device += value;
texture = texture_from_resource(resource);
@@ -6092,45 +6093,33 @@ static inline void wined3d_srv_bind_count_inc(struct wined3d_shader_resource_vie
for (layer = 0; layer < srv->desc.u.texture.layer_count; ++layer) for (level = 0; level < srv->desc.u.texture.level_count; ++level) - ++resource->sub_resource_bind_counts_device[(layer + srv->desc.u.texture.layer_idx) - * texture->level_count + srv->desc.u.texture.level_idx + level].srv; + resource->sub_resource_bind_counts_device[(layer + srv->desc.u.texture.layer_idx) + * texture->level_count + srv->desc.u.texture.level_idx + level].srv += value; +}
- resource->sub_resource_bind_flags |= WINED3D_SUB_RESOURCES_BIND_SRV; +static inline void wined3d_srv_bind_count_inc(struct wined3d_shader_resource_view *srv) +{ + wined3d_srv_bind_count_add(srv, 1); }
static inline void wined3d_srv_bind_count_dec(struct wined3d_shader_resource_view *srv) { - struct wined3d_resource *resource = srv->resource; - unsigned int level, layer, count; - struct wined3d_texture *texture; - - --resource->srv_bind_count_device; - - if (wined3d_srv_all_subresources(srv)) - return; - - texture = texture_from_resource(resource); - - count = 0; - for (layer = 0; layer < srv->desc.u.texture.layer_count; ++layer) - for (level = 0; level < srv->desc.u.texture.level_count; ++level) - count += --resource->sub_resource_bind_counts_device[(layer + srv->desc.u.texture.layer_idx) - * texture->level_count + srv->desc.u.texture.level_idx + level].srv; - - if (!count) - resource->sub_resource_bind_flags &= ~WINED3D_SUB_RESOURCES_BIND_SRV; + wined3d_srv_bind_count_add(srv, -1); }
-static inline void wined3d_rtv_bind_count_inc(struct wined3d_rendertarget_view *rtv) +static inline void wined3d_rtv_bind_count_add(struct wined3d_rendertarget_view *rtv, int value) { struct wined3d_resource *resource = rtv->resource; struct wined3d_texture *texture; unsigned int layer;
- ++resource->rtv_bind_count_device; - if (wined3d_rtv_all_subresources(rtv)) + { + resource->rtv_full_bind_count_device += value; return; + } + + resource->rtv_partial_bind_count_device += value;
texture = texture_from_resource(resource);
@@ -6140,31 +6129,17 @@ static inline void wined3d_rtv_bind_count_inc(struct wined3d_rendertarget_view * return;
for (layer = 0; layer < rtv->layer_count; ++layer) - ++resource->sub_resource_bind_counts_device[rtv->sub_resource_idx + layer * texture->level_count].rtv; + resource->sub_resource_bind_counts_device[rtv->sub_resource_idx + layer * texture->level_count].rtv += value; +}
- resource->sub_resource_bind_flags |= WINED3D_SUB_RESOURCES_BIND_RTV; +static inline void wined3d_rtv_bind_count_inc(struct wined3d_rendertarget_view *rtv) +{ + wined3d_rtv_bind_count_add(rtv, 1); }
static inline void wined3d_rtv_bind_count_dec(struct wined3d_rendertarget_view *rtv) { - struct wined3d_resource *resource = rtv->resource; - struct wined3d_texture *texture; - unsigned int layer, count; - - --resource->rtv_bind_count_device; - - if (wined3d_rtv_all_subresources(rtv)) - return; - - texture = texture_from_resource(rtv->resource); - - count = 0; - for (layer = 0; layer < rtv->layer_count; ++layer) - count += --resource->sub_resource_bind_counts_device[rtv->sub_resource_idx - + layer * texture->level_count].rtv; - - if (!count) - resource->sub_resource_bind_flags &= ~WINED3D_SUB_RESOURCES_BIND_RTV; + wined3d_rtv_bind_count_add(rtv, -1); }
static inline bool wined3d_is_srv_rtv_bound(const struct wined3d_shader_resource_view *srv) @@ -6173,9 +6148,11 @@ static inline bool wined3d_is_srv_rtv_bound(const struct wined3d_shader_resource struct wined3d_texture *texture; unsigned int level, layer;
- if (!resource->rtv_bind_count_device || !(resource->sub_resource_bind_flags & WINED3D_SUB_RESOURCES_BIND_RTV) - || wined3d_srv_all_subresources(srv)) - return resource->rtv_bind_count_device; + if (!(resource->rtv_full_bind_count_device + resource->rtv_partial_bind_count_device)) + return FALSE; + + if (resource->rtv_full_bind_count_device || wined3d_srv_all_subresources(srv)) + return TRUE;
texture = texture_from_resource(resource);
@@ -6194,9 +6171,11 @@ static inline bool wined3d_is_rtv_srv_bound(const struct wined3d_rendertarget_vi struct wined3d_texture *texture; unsigned int layer;
- if (!resource->srv_bind_count_device || !(resource->sub_resource_bind_flags & WINED3D_SUB_RESOURCES_BIND_SRV) - || wined3d_rtv_all_subresources(rtv)) - return resource->srv_bind_count_device; + if (!(resource->srv_full_bind_count_device + resource->srv_partial_bind_count_device)) + return FALSE; + + if (resource->srv_full_bind_count_device || wined3d_rtv_all_subresources(rtv)) + return TRUE;
texture = texture_from_resource(resource);
Signed-off-by: Henri Verbeet hverbeet@codeweavers.com
-
Henri Verbeet -
Paul Gofman