Fix T48824: Crash when having too many ray-to-volume intersections
authorSergey Sharybin <sergey.vfx@gmail.com>
Mon, 11 Jul 2016 15:58:42 +0000 (17:58 +0200)
committerSergey Sharybin <sergey.vfx@gmail.com>
Mon, 11 Jul 2016 15:59:46 +0000 (17:59 +0200)
Code might have writing past the array boundaries.

intern/cycles/kernel/bvh/bvh_shadow_all.h
intern/cycles/kernel/bvh/bvh_volume_all.h
intern/cycles/kernel/bvh/qbvh_shadow_all.h
intern/cycles/kernel/bvh/qbvh_volume_all.h

index 1d6fa30..1869457 100644 (file)
@@ -254,6 +254,9 @@ ccl_device bool BVH_FUNCTION_FULL_NAME(BVH)(KernelGlobals *kg,
 
                                                /* shadow ray early termination */
                                                if(hit) {
+                                                       /* Update number of hits now, so we do proper check on max bounces. */
+                                                       (*num_hits)++;
+
                                                        /* detect if this surface has a shader with transparent shadows */
 
                                                        /* todo: optimize so primitive visibility flag indicates if
@@ -284,14 +287,11 @@ ccl_device bool BVH_FUNCTION_FULL_NAME(BVH)(KernelGlobals *kg,
                                                                return true;
                                                        }
 
-                                                       /* move on to next entry in intersections array */
-                                                       isect_array++;
-                                                       (*num_hits)++;
 #if BVH_FEATURE(BVH_INSTANCING)
                                                        num_hits_in_instance++;
 #endif
-
-                                                       isect_array->t = isect_t;
+                                                       /* Move on to next entry in intersections array */
+                                                       isect_array++;
                                                }
 
                                                prim_addr++;
index 7eddc28..b5405e8 100644 (file)
@@ -201,13 +201,11 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(BVH)(KernelGlobals *kg,
                                                                                         object,
                                                                                         prim_addr);
                                                                if(hit) {
-                                                                       /* Move on to next entry in intersections array. */
-                                                                       isect_array++;
+                                                                       /* Update number of hits now, so we do proper check on max bounces. */
                                                                        num_hits++;
 #if BVH_FEATURE(BVH_INSTANCING)
                                                                        num_hits_in_instance++;
 #endif
-                                                                       isect_array->t = isect_t;
                                                                        if(num_hits == max_hits) {
 #if BVH_FEATURE(BVH_INSTANCING)
 #  if BVH_FEATURE(BVH_MOTION)
@@ -222,6 +220,9 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(BVH)(KernelGlobals *kg,
 #endif  /* BVH_FEATURE(BVH_INSTANCING) */
                                                                                return num_hits;
                                                                        }
+                                                                       /* Move on to next entry in intersections array */
+                                                                       isect_array++;
+                                                                       isect_array->t = isect_t;
                                                                }
                                                        }
                                                        break;
@@ -246,13 +247,11 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(BVH)(KernelGlobals *kg,
                                                                                                object,
                                                                                                prim_addr);
                                                                if(hit) {
-                                                                       /* Move on to next entry in intersections array. */
-                                                                       isect_array++;
+                                                                       /* Update number of hits now, so we do proper check on max bounces. */
                                                                        num_hits++;
 #  if BVH_FEATURE(BVH_INSTANCING)
                                                                        num_hits_in_instance++;
 #  endif
-                                                                       isect_array->t = isect_t;
                                                                        if(num_hits == max_hits) {
 #  if BVH_FEATURE(BVH_INSTANCING)
 #    if BVH_FEATURE(BVH_MOTION)
@@ -267,6 +266,9 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(BVH)(KernelGlobals *kg,
 #  endif  /* BVH_FEATURE(BVH_INSTANCING) */
                                                                                return num_hits;
                                                                        }
+                                                                       /* Move on to next entry in intersections array */
+                                                                       isect_array++;
+                                                                       isect_array->t = isect_t;
                                                                }
                                                        }
                                                        break;
index 3a728b3..34753ff 100644 (file)
@@ -337,6 +337,9 @@ ccl_device bool BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
 
                                                /* Shadow ray early termination. */
                                                if(hit) {
+                                                       /* Update number of hits now, so we do proper check on max bounces. */
+                                                       (*num_hits)++;
+
                                                        /* detect if this surface has a shader with transparent shadows */
 
                                                        /* todo: optimize so primitive visibility flag indicates if
@@ -367,13 +370,11 @@ ccl_device bool BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
                                                                return true;
                                                        }
 
-                                                       /* move on to next entry in intersections array */
-                                                       isect_array++;
-                                                       (*num_hits)++;
 #if BVH_FEATURE(BVH_INSTANCING)
                                                        num_hits_in_instance++;
 #endif
-
+                                                       /* Move on to next entry in intersections array */
+                                                       isect_array++;
                                                        isect_array->t = isect_t;
                                                }
 
index 4d3028b..a877e5b 100644 (file)
@@ -268,13 +268,11 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
                                                                /* Intersect ray against primitive. */
                                                                hit = triangle_intersect(kg, &isect_precalc, isect_array, P, visibility, object, prim_addr);
                                                                if(hit) {
-                                                                       /* Move on to next entry in intersections array. */
-                                                                       isect_array++;
+                                                                       /* Update number of hits now, so we do proper check on max bounces. */
                                                                        num_hits++;
 #if BVH_FEATURE(BVH_INSTANCING)
                                                                        num_hits_in_instance++;
 #endif
-                                                                       isect_array->t = isect_t;
                                                                        if(num_hits == max_hits) {
 #if BVH_FEATURE(BVH_INSTANCING)
 #  if BVH_FEATURE(BVH_MOTION)
@@ -289,6 +287,9 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
 #endif  /* BVH_FEATURE(BVH_INSTANCING) */
                                                                                return num_hits;
                                                                        }
+                                                                       /* Move on to next entry in intersections array */
+                                                                       isect_array++;
+                                                                       isect_array->t = isect_t;
                                                                }
                                                        }
                                                        break;
@@ -306,13 +307,11 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
                                                                /* Intersect ray against primitive. */
                                                                hit = motion_triangle_intersect(kg, isect_array, P, dir, ray->time, visibility, object, prim_addr);
                                                                if(hit) {
-                                                                       /* Move on to next entry in intersections array. */
-                                                                       isect_array++;
+                                                                       /* Update number of hits now, so we do proper check on max bounces. */
                                                                        num_hits++;
 #  if BVH_FEATURE(BVH_INSTANCING)
                                                                        num_hits_in_instance++;
 #  endif
-                                                                       isect_array->t = isect_t;
                                                                        if(num_hits == max_hits) {
 #  if BVH_FEATURE(BVH_INSTANCING)
 #    if BVH_FEATURE(BVH_MOTION)
@@ -327,6 +326,9 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
 #  endif  /* BVH_FEATURE(BVH_INSTANCING) */
                                                                                return num_hits;
                                                                        }
+                                                                       /* Move on to next entry in intersections array */
+                                                                       isect_array++;
+                                                                       isect_array->t = isect_t;
                                                                }
                                                        }
                                                        break;