Mesa (10.4): i965: Fix out-of-bounds accesses into pull_constant_loc array

[Emil Velikov]

Module: Mesa
Branch: 10.4
Commit: 8c25b0f2d15a03523fd731718b2f80117bc75791
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=8c25b0f2d15a03523fd731718b2f80117bc75791

Author: Iago Toral Quiroga <itoral at igalia.com>
Date:   Tue Mar 10 11:36:43 2015 +0100

i965: Fix out-of-bounds accesses into pull_constant_loc array

The piglit test glsl-fs-uniform-array-loop-unroll.shader_test was designed
to do an out of bounds access into an uniform array to make sure that we
handle that situation gracefully inside the driver, however, as Ken describes
in bug 79202, Valgrind reports that this is leading to an out-of-bounds access
in fs_visitor::demote_pull_constants().

Before accessing the pull_constant_loc array we should make sure that
the uniform we are trying to access is valid.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=79202
Reviewed-by: Matt Turner <mattst88 at gmail.com>
(cherry picked from commit 6ac1bc90c4a7a6f32901a9782e14b090f6fe5270)
Nominated-by: Matt Turner <mattst88 at gmail.com>

---

 src/mesa/drivers/dri/i965/brw_fs.cpp |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
index 57ca39d..fdfd528 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
@@ -2179,8 +2179,13 @@ fs_visitor::demote_pull_constants()
 	 if (inst->src[i].file != UNIFORM)
 	    continue;
 
-         int pull_index = pull_constant_loc[inst->src[i].reg +
-                                            inst->src[i].reg_offset];
+         int pull_index;
+         unsigned location = inst->src[i].reg + inst->src[i].reg_offset;
+         if (location >= uniforms) /* Out of bounds access */
+            pull_index = -1;
+         else
+            pull_index = pull_constant_loc[location];
+
          if (pull_index == -1)
 	    continue;