nir/spirv: fix build_mat4_det stack smasher

When generating a sub-determinate matrix, a 3-element swizzle array was
indexed with clever inline boolean logic.  Unfortunately, when i and j
are both 3, the index overruns the array, smashing the next variable on
the stack.

For 64 bit builds, the alignment of the 3-element unsigned array leaves
32 bits of spacing before the next local variable, hiding this bug.  On
i386, a subcolumn pointer was smashed then dereferenced.

diff --git a/src/glsl/nir/spirv/vtn_glsl450.c b/src/glsl/nir/spirv/vtn_glsl450.c
index 9c82c07894ae2ca3f2b4ecd302ce075f669c88e7..bc38aa4b1be3e727f6c0b7843eafeb372053f51b 100644 (file)
--- a/src/glsl/nir/spirv/vtn_glsl450.c
+++ b/src/glsl/nir/spirv/vtn_glsl450.c
@@ -68,8 +68,11 @@ build_mat4_det(nir_builder *b, nir_ssa_def **col)
    nir_ssa_def *subdet[4];
    for (unsigned i = 0; i < 4; i++) {
       unsigned swiz[3];
-      for (unsigned j = 0; j < 4; j++)
-         swiz[j - (j > i)] = j;
+      for (unsigned j = 0, k = 0; j < 3; j++, k++) {
+         if (k == i)
+            k++; /* skip column */
+         swiz[j] = k;
+      }
 
       nir_ssa_def *subcol[3];
       subcol[0] = nir_swizzle(b, col[1], swiz, 3, true);