i965: Fix out-of-bounds accesses into pull_constant_loc array
authorIago Toral Quiroga <itoral@igalia.com>
Tue, 10 Mar 2015 10:36:43 +0000 (11:36 +0100)
committerIago Toral Quiroga <itoral@igalia.com>
Wed, 11 Mar 2015 07:03:40 +0000 (08:03 +0100)
The piglit test glsl-fs-uniform-array-loop-unroll.shader_test was designed
to do an out of bounds access into an uniform array to make sure that we
handle that situation gracefully inside the driver, however, as Ken describes
in bug 79202, Valgrind reports that this is leading to an out-of-bounds access
in fs_visitor::demote_pull_constants().

Before accessing the pull_constant_loc array we should make sure that
the uniform we are trying to access is valid.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=79202
Reviewed-by: Matt Turner <mattst88@gmail.com>
src/mesa/drivers/dri/i965/brw_fs.cpp

index 89754ad9434d8b19b2d30b5dc1d69ff31cb40e0f..6d7cf0e42ee3b8c595caa6aeb28e41afe8d23d5e 100644 (file)
@@ -2281,8 +2281,13 @@ fs_visitor::demote_pull_constants()
         if (inst->src[i].file != UNIFORM)
            continue;
 
-         int pull_index = pull_constant_loc[inst->src[i].reg +
-                                            inst->src[i].reg_offset];
+         int pull_index;
+         unsigned location = inst->src[i].reg + inst->src[i].reg_offset;
+         if (location >= uniforms) /* Out of bounds access */
+            pull_index = -1;
+         else
+            pull_index = pull_constant_loc[location];
+
          if (pull_index == -1)
            continue;