From f6827e20d12ab062440bc809b8f2338b68edac45 Mon Sep 17 00:00:00 2001
From: Ilia Mirkin <imirkin@alum.mit.edu>
Date: Sun, 6 Mar 2016 12:19:04 -0500
Subject: [PATCH] glsl: avoid stack smashing when there are too many attributes

This fixes a crash in

dEQP-GLES3.functional.transform_feedback.array_element.separate.points.lowp_mat3x2

and likely others. The vertex shader has > 16 input variables (without
explicit locations), which causes us to index outside of the to_assign
array.

Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Reviewed-by: Timothy Arceri <timothy.arceri@collabora.com>
Cc: "11.1 11.2" <mesa-stable@lists.freedesktop.org>
---
 src/compiler/glsl/linker.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/compiler/glsl/linker.cpp b/src/compiler/glsl/linker.cpp
index 3039232162a..4cec1077025 100644
--- a/src/compiler/glsl/linker.cpp
+++ b/src/compiler/glsl/linker.cpp
@@ -2625,6 +2625,13 @@ assign_attribute_or_color_locations(gl_shader_program *prog,
 	 continue;
       }
 
+      if (num_attr >= ARRAY_SIZE(to_assign)) {
+         linker_error(prog, "too many %s (max %u)",
+                      target_index == MESA_SHADER_VERTEX ?
+                      "vertex shader inputs" : "fragment shader outputs",
+                      (unsigned)ARRAY_SIZE(to_assign));
+         return false;
+      }
       to_assign[num_attr].slots = slots;
       to_assign[num_attr].var = var;
       num_attr++;
-- 
2.30.2