diff --git a/kernels/common/buffer.h b/kernels/common/buffer.h index 2306757f29..984ed43ddd 100644 --- a/kernels/common/buffer.h +++ b/kernels/common/buffer.h @@ -248,8 +248,21 @@ namespace embree /*! sets the buffer view */ void set(const Ref& buffer_in, size_t offset_in, size_t stride_in, size_t num_in, RTCFormat format_in) { - if ((offset_in + stride_in * num_in) > (stride_in * buffer_in->numBytes)) + if (stride_in > 0xFFFFFFFFu) { + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + } + + if (num_in > 0xFFFFFFFFu) { + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"item count too large"); + } + + if (offset_in > buffer_in->numBytes) { + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "offset too large"); + } + + if (stride_in * num_in > buffer_in->numBytes - offset_in) { throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "buffer range out of bounds"); + } ptr_ofs = buffer_in->getHostPtr() + offset_in; dptr_ofs = buffer_in->getDevicePtr() + offset_in; diff --git a/kernels/common/rtcore.cpp b/kernels/common/rtcore.cpp index 34306436e5..5f8ec82c7e 100644 --- a/kernels/common/rtcore.cpp +++ b/kernels/common/rtcore.cpp @@ -1857,6 +1857,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + geometry->setBuffer(type, slot, format, buffer, byteOffset, byteStride, (unsigned int)itemCount); RTC_CATCH_END2(geometry); } @@ -1871,6 +1874,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + Ref buffer = new Buffer(geometry->device, itemCount*byteStride, (char*)ptr + byteOffset); geometry->setBuffer(type, slot, format, buffer, 0, byteStride, (unsigned int)itemCount); RTC_CATCH_END2(geometry); @@ -1889,6 +1895,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + if ((ptr == nullptr) || (dptr == nullptr)) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"host and device pointer may not be NULL pointers when using SYCL devices"); @@ -1916,6 +1925,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + /* vertex buffers need to get overallocated slightly as elements are accessed using SSE loads */ size_t bytes = itemCount*byteStride; if (type == RTC_BUFFER_TYPE_VERTEX || type == RTC_BUFFER_TYPE_VERTEX_ATTRIBUTE) @@ -1941,6 +1953,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + /* vertex buffers need to get overallocated slightly as elements are accessed using SSE loads */ size_t bytes = itemCount*byteStride; if (bufferType == RTC_BUFFER_TYPE_VERTEX || bufferType == RTC_BUFFER_TYPE_VERTEX_ATTRIBUTE) diff --git a/kernels/common/scene_grid_mesh.cpp b/kernels/common/scene_grid_mesh.cpp index 0eba9aec0c..6356e56b8f 100644 --- a/kernels/common/scene_grid_mesh.cpp +++ b/kernels/common/scene_grid_mesh.cpp @@ -142,7 +142,17 @@ namespace embree throw_RTCError(RTC_ERROR_INVALID_OPERATION,"stride of vertex buffers have to be identical for each time step"); if (vertices[t]) vertices[t].buffer->commitIfNeeded(); } - if (grids) grids.buffer->commitIfNeeded(); + if (grids) { + /* Verify that grid sizes are in bounds */ + for (size_t primID=0; primID maxGridRes || g.resY > maxGridRes) { + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "grid dimensions are too big"); + } + + } + grids.buffer->commitIfNeeded(); + } #if defined(EMBREE_SYCL_SUPPORT) /* build quadID_to_primID_xy mapping when hardware ray tracing is supported */ diff --git a/kernels/common/scene_grid_mesh.h b/kernels/common/scene_grid_mesh.h index c4fbab8930..cd374912f5 100644 --- a/kernels/common/scene_grid_mesh.h +++ b/kernels/common/scene_grid_mesh.h @@ -11,6 +11,7 @@ namespace embree /*! Grid Mesh */ struct GridMesh : public Geometry { + static constexpr unsigned short maxGridRes = 32768; /*! type of this geometry */ static const Geometry::GTypeMask geom_type = Geometry::MTY_GRID_MESH; @@ -154,12 +155,16 @@ namespace embree __forceinline unsigned int getNumQuads(const size_t gridID) const { const Grid& g = grid(gridID); + assert(g.resX <= maxGridRes); + assert(g.resY <= maxGridRes); return (unsigned int) max((int)1,((int)g.resX-1) * ((int)g.resY-1)); } __forceinline unsigned int getNumSubGrids(const size_t gridID) const { const Grid& g = grid(gridID); + assert(g.resX <= maxGridRes); + assert(g.resY <= maxGridRes); return max((unsigned int)1,((unsigned int)g.resX >> 1) * ((unsigned int)g.resY >> 1)); }