glsl: avoid stack smashing when there are too many attributes

This fixes a crash in

dEQP-GLES3.functional.transform_feedback.array_element.separate.points.lowp_mat3x2

and likely others. The vertex shader has > 16 input variables (without
explicit locations), which causes us to index outside of the to_assign
array.

Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Reviewed-by: Timothy Arceri <timothy.arceri@collabora.com>
Cc: "11.1 11.2" <mesa-stable@lists.freedesktop.org>

diff --git a/src/compiler/glsl/linker.cpp b/src/compiler/glsl/linker.cpp
index 3039232162aede7b29f26eb6dd77703fa0eb119f..4cec1077025dd8c70b80b5f6f6f465f8889891d1 100644 (file)
--- a/src/compiler/glsl/linker.cpp
+++ b/src/compiler/glsl/linker.cpp
@@ -2625,6 +2625,13 @@ assign_attribute_or_color_locations(gl_shader_program *prog,
         continue;
       }
 
+      if (num_attr >= ARRAY_SIZE(to_assign)) {
+         linker_error(prog, "too many %s (max %u)",
+                      target_index == MESA_SHADER_VERTEX ?
+                      "vertex shader inputs" : "fragment shader outputs",
+                      (unsigned)ARRAY_SIZE(to_assign));
+         return false;
+      }
       to_assign[num_attr].slots = slots;
       to_assign[num_attr].var = var;
       num_attr++;