Mesa (master): glsl: avoid an out-of-bound access while setting up a location for variable

Thu Nov 26 15:22:30 UTC 2020

Module: Mesa
Branch: master
Commit: a941618a1fc361ad6089753b39dc3bcea71d8fe9
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=a941618a1fc361ad6089753b39dc3bcea71d8fe9

Author: Andrii Simiklit <andrii.simiklit at globallogic.com>
Date:   Thu Oct 29 17:05:19 2020 +0200

glsl: avoid an out-of-bound access while setting up a location for variable

It fixes the following valgrind issue:
==141996== Invalid read of size 4
==141996==    at 0x61F8806: gl_nir_link_uniforms (gl_nir_link_uniforms.c:1788)
==141996==    by 0x60F17AA: gl_nir_link_glsl (gl_nir_linker.c:672)
==141996==    by 0x5C1AEDF: st_link_nir (st_glsl_to_nir.cpp:739)
==141996==    by 0x5C15574: st_link_shader (st_glsl_to_ir.cpp:172)
==141996==    by 0x5C673B0: _mesa_glsl_link_shader (ir_to_mesa.cpp:3117)
==141996==    by 0x5E7B61C: link_program (shaderapi.c:1311)
==141996==    by 0x5E7B61C: link_program_error (shaderapi.c:1419)
==141996==    by 0x5E7CF8A: _mesa_LinkProgram (shaderapi.c:1911)
==141996==    by 0x4923D13: stub_glLinkProgram (piglit-dispatch-gen.c:33956)
==141996==    by 0x1142C0: link_and_use_shaders (shader_runner.c:1636)
==141996==    by 0x1205A6: init_test (shader_runner.c:5347)
==141996==    by 0x121555: piglit_init (shader_runner.c:5725)
==141996==    by 0x4991C84: run_test (piglit_fbo_framework.c:50)

It can be reproduced on `iris` using the following piglit test:
instance-matching-shader-storage-blocks-align-qualifier-mismatch.shader_test

Closes: #3818
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
Fixes: 47c35823 ("glsl: fix up location setting for variables pointing to a UBO's base")
Signed-off-by: Mike Blumenkrantz <michael.blumenkrantz at gmail.com>
Signed-off-by: Andrii Simiklit <andrii.simiklit at globallogic.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/7376>

---

 src/compiler/glsl/gl_nir_link_uniforms.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/compiler/glsl/gl_nir_link_uniforms.c b/src/compiler/glsl/gl_nir_link_uniforms.c
index f8a6cc8728e..cd26cb33fce 100644
--- a/src/compiler/glsl/gl_nir_link_uniforms.c
+++ b/src/compiler/glsl/gl_nir_link_uniforms.c
@@ -1776,19 +1776,21 @@ gl_nir_link_uniforms(struct gl_context *ctx,
                      break;
                }
                assert(found);
-            } else
+               var->data.location = location;
+            } else {
                /* this is the base block offset */
-               location = buffer_block_index;
+               var->data.location = buffer_block_index;
+               location = 0;
+            }
             assert(buffer_block_index >= 0);
             const struct gl_uniform_block *const block =
                &blocks[buffer_block_index];
-            assert(location != -1);
+            assert(location >= 0 && location < block->NumUniforms);
 
             const struct gl_uniform_buffer_variable *const ubo_var =
                &block->Uniforms[location];
 
             state.offset = ubo_var->Offset;
-            var->data.location = location;
          }
 
          /* Check if the uniform has been processed already for

