Mesa (13.0): nv50,nvc0: avoid reading out of bounds when getting bogus so info

[Emil Velikov]

Module: Mesa
Branch: 13.0
Commit: 05b89cf40e1f1c2a31fac1aed389764a9b1141b0
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=05b89cf40e1f1c2a31fac1aed389764a9b1141b0

Author: Ilia Mirkin <imirkin at alum.mit.edu>
Date:   Wed Oct 19 00:05:26 2016 -0400

nv50,nvc0: avoid reading out of bounds when getting bogus so info

The state tracker tries to attach the info to the wrong shader. This is
easy enough to protect against.

Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
Reviewed-by: Samuel Pitoiset <samuel.pitoiset at gmail.com>
Cc: 12.0 13.0 <mesa-stable at lists.freedesktop.org>
(cherry picked from commit 313fba5ee1de9416930e45da8aff63a24763940b)

---

 src/gallium/drivers/nouveau/nv50/nv50_program.c | 3 +++
 src/gallium/drivers/nouveau/nvc0/nvc0_program.c | 7 +++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/gallium/drivers/nouveau/nv50/nv50_program.c b/src/gallium/drivers/nouveau/nv50/nv50_program.c
index 2b66877..ea5febd 100644
--- a/src/gallium/drivers/nouveau/nv50/nv50_program.c
+++ b/src/gallium/drivers/nouveau/nv50/nv50_program.c
@@ -307,6 +307,9 @@ nv50_program_create_strmout_state(const struct nv50_ir_prog_info *info,
       const unsigned r = pso->output[i].register_index;
       b = pso->output[i].output_buffer;
 
+      if (r >= info->numOutputs)
+         continue;
+
       for (c = 0; c < pso->output[i].num_components; ++c)
          so->map[base[b] + p + c] = info->out[r].slot[s + c];
    }
diff --git a/src/gallium/drivers/nouveau/nvc0/nvc0_program.c b/src/gallium/drivers/nouveau/nvc0/nvc0_program.c
index f52cbd2..a4a164f 100644
--- a/src/gallium/drivers/nouveau/nvc0/nvc0_program.c
+++ b/src/gallium/drivers/nouveau/nvc0/nvc0_program.c
@@ -509,11 +509,14 @@ nvc0_program_create_tfb_state(const struct nv50_ir_prog_info *info,
    for (i = 0; i < pso->num_outputs; ++i) {
       unsigned s = pso->output[i].start_component;
       unsigned p = pso->output[i].dst_offset;
+      const unsigned r = pso->output[i].register_index;
       b = pso->output[i].output_buffer;
 
+      if (r >= info->numOutputs)
+         continue;
+
       for (c = 0; c < pso->output[i].num_components; ++c)
-         tfb->varying_index[b][p++] =
-            info->out[pso->output[i].register_index].slot[s + c];
+         tfb->varying_index[b][p++] = info->out[r].slot[s + c];
 
       tfb->varying_count[b] = MAX2(tfb->varying_count[b], p);
       tfb->stream[b] = pso->output[i].stream;