Mesa (master): glsl: Fix buffer overflow with an atomic buffer binding out of range.
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Jan 8 23:51:44 UTC 2019
Module: Mesa
Branch: master
Commit: 700aeaf9c863ea545fe529c1a7fcbc8e87c9adb4
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=700aeaf9c863ea545fe529c1a7fcbc8e87c9adb4
Author: Eric Anholt <eric at anholt.net>
Date: Tue Jan 8 11:45:16 2019 -0800
glsl: Fix buffer overflow with an atomic buffer binding out of range.
The binding is checked against the limits later in the function, so we
need to make sure we don't overflow before the check here.
Fixes this valgrind warning (and sometimes segfault):
==1460== Invalid write of size 4
==1460== at 0x74C98DD: ast_declarator_list::hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:4943)
==1460== by 0x74C054F: _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:159)
==1460== by 0x7435C12: _mesa_glsl_compile_shader (glsl_parser_extras.cpp:2130)
in
dEQP-GLES31.functional.debug.negative_coverage.get_error.compute.
exceed_atomic_counters_limit
Reviewed-by: Timothy Arceri <tarceri at itsqueeze.com>
---
src/compiler/glsl/ast_to_hir.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
index 8fdc1890ab..611cfabbd0 100644
--- a/src/compiler/glsl/ast_to_hir.cpp
+++ b/src/compiler/glsl/ast_to_hir.cpp
@@ -4940,7 +4940,8 @@ ast_declarator_list::hir(exec_list *instructions,
&& process_qualifier_constant(state, &loc, "offset",
type->qualifier.offset,
&qual_offset)) {
- state->atomic_counter_offsets[qual_binding] = qual_offset;
+ if (qual_binding < ARRAY_SIZE(state->atomic_counter_offsets))
+ state->atomic_counter_offsets[qual_binding] = qual_offset;
}
}
More information about the mesa-commit
mailing list