From 4b160c67764b3f0d0a843f7542d6079aa3a7d8f2 Mon Sep 17 00:00:00 2001 From: Jason Ekstrand Date: Thu, 9 Apr 2020 16:58:58 -0500 Subject: [PATCH] spirv: Error if OpCompositeInsert/Extract has OOB indices Reviewed-by: Caio Marcelo de Oliveira Filho Part-of: --- src/compiler/spirv/spirv_to_nir.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/compiler/spirv/spirv_to_nir.c b/src/compiler/spirv/spirv_to_nir.c index 249b09b56ff..a4f8ce27987 100644 --- a/src/compiler/spirv/spirv_to_nir.c +++ b/src/compiler/spirv/spirv_to_nir.c @@ -3459,10 +3459,20 @@ vtn_composite_insert(struct vtn_builder *b, struct vtn_ssa_value *src, struct vtn_ssa_value *cur = dest; unsigned i; for (i = 0; i < num_indices - 1; i++) { + /* If we got a vector here, that means the next index will be trying to + * dereference a scalar. + */ + vtn_fail_if(glsl_type_is_vector_or_scalar(cur->type), + "OpCompositeInsert has too many indices."); + vtn_fail_if(indices[i] >= glsl_get_length(cur->type), + "All indices in an OpCompositeInsert must be in-bounds"); cur = cur->elems[indices[i]]; } if (glsl_type_is_vector_or_scalar(cur->type)) { + vtn_fail_if(indices[i] >= glsl_get_vector_elements(cur->type), + "All indices in an OpCompositeInsert must be in-bounds"); + /* According to the SPIR-V spec, OpCompositeInsert may work down to * the component granularity. In that case, the last index will be * the index to insert the scalar into the vector. @@ -3470,6 +3480,8 @@ vtn_composite_insert(struct vtn_builder *b, struct vtn_ssa_value *src, cur->def = vtn_vector_insert(b, cur->def, insert->def, indices[i]); } else { + vtn_fail_if(indices[i] >= glsl_get_length(cur->type), + "All indices in an OpCompositeInsert must be in-bounds"); cur->elems[indices[i]] = insert; } @@ -3484,6 +3496,9 @@ vtn_composite_extract(struct vtn_builder *b, struct vtn_ssa_value *src, for (unsigned i = 0; i < num_indices; i++) { if (glsl_type_is_vector_or_scalar(cur->type)) { vtn_assert(i == num_indices - 1); + vtn_fail_if(indices[i] >= glsl_get_vector_elements(cur->type), + "All indices in an OpCompositeExtract must be in-bounds"); + /* According to the SPIR-V spec, OpCompositeExtract may work down to * the component granularity. The last index will be the index of the * vector to extract. @@ -3494,6 +3509,8 @@ vtn_composite_extract(struct vtn_builder *b, struct vtn_ssa_value *src, ret->def = vtn_vector_extract(b, cur->def, indices[i]); return ret; } else { + vtn_fail_if(indices[i] >= glsl_get_length(cur->type), + "All indices in an OpCompositeExtract must be in-bounds"); cur = cur->elems[indices[i]]; } } -- 2.30.2