From 6a7e2904e0a2a6f8efbf739a1b3cad7e1e4ab42d Mon Sep 17 00:00:00 2001 From: Mark Janes Date: Tue, 2 Feb 2016 15:30:54 -0800 Subject: [PATCH] nir/spirv: fix build_mat4_det stack smasher When generating a sub-determinate matrix, a 3-element swizzle array was indexed with clever inline boolean logic. Unfortunately, when i and j are both 3, the index overruns the array, smashing the next variable on the stack. For 64 bit builds, the alignment of the 3-element unsigned array leaves 32 bits of spacing before the next local variable, hiding this bug. On i386, a subcolumn pointer was smashed then dereferenced. --- src/glsl/nir/spirv/vtn_glsl450.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/glsl/nir/spirv/vtn_glsl450.c b/src/glsl/nir/spirv/vtn_glsl450.c index 9c82c07894a..bc38aa4b1be 100644 --- a/src/glsl/nir/spirv/vtn_glsl450.c +++ b/src/glsl/nir/spirv/vtn_glsl450.c @@ -68,8 +68,11 @@ build_mat4_det(nir_builder *b, nir_ssa_def **col) nir_ssa_def *subdet[4]; for (unsigned i = 0; i < 4; i++) { unsigned swiz[3]; - for (unsigned j = 0; j < 4; j++) - swiz[j - (j > i)] = j; + for (unsigned j = 0, k = 0; j < 3; j++, k++) { + if (k == i) + k++; /* skip column */ + swiz[j] = k; + } nir_ssa_def *subcol[3]; subcol[0] = nir_swizzle(b, col[1], swiz, 3, true); -- 2.30.2