projects / mesa.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 211b826)
glsl: Fix buffer overflow with an atomic buffer binding out of range.
authorEric Anholt <eric@anholt.net>
Tue, 8 Jan 2019 19:45:16 +0000 (11:45 -0800)
committerEric Anholt <eric@anholt.net>
Tue, 8 Jan 2019 23:44:58 +0000 (15:44 -0800)
The binding is checked against the limits later in the function, so we
need to make sure we don't overflow before the check here.

Fixes this valgrind warning (and sometimes segfault):

==1460== Invalid write of size 4
==1460==    at 0x74C98DD: ast_declarator_list::hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:4943)
==1460==    by 0x74C054F: _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:159)
==1460==    by 0x7435C12: _mesa_glsl_compile_shader (glsl_parser_extras.cpp:2130)

in

dEQP-GLES31.functional.debug.negative_coverage.get_error.compute.
   exceed_atomic_counters_limit

Reviewed-by: Timothy Arceri <tarceri@itsqueeze.com>
src/compiler/glsl/ast_to_hir.cpp patch | blob | history

diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
index 8fdc1890ab0a0f31ae349b552ceae90b11375fa7..611cfabbd0343d90c1c6d63805ed47463896c27b 100644 (file)
--- a/src/compiler/glsl/ast_to_hir.cpp
+++ b/src/compiler/glsl/ast_to_hir.cpp
@@ -4940,7 +4940,8 @@ ast_declarator_list::hir(exec_list *instructions,
              && process_qualifier_constant(state, &loc, "offset",
                                         type->qualifier.offset,
                                         &qual_offset)) {
-            state->atomic_counter_offsets[qual_binding] = qual_offset;
+            if (qual_binding < ARRAY_SIZE(state->atomic_counter_offsets))
+               state->atomic_counter_offsets[qual_binding] = qual_offset;
          }
       }