Mesa (main): lavapipe: fix incorrect sv[] array size
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Thu Jul 14 20:00:37 UTC 2022
Module: Mesa
Branch: main
Commit: 29ec6372cc13958691add84360ca7ac447b4c409
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=29ec6372cc13958691add84360ca7ac447b4c409
Author: Brian Paul <brianp at vmware.com>
Date: Wed Jun 15 15:41:10 2022 -0600
lavapipe: fix incorrect sv[] array size
The sampler views array needs to be dimensioned by
PIPE_MAX_SHADER_SAMPLER_VIEWS, not PIPE_MAX_SAMPLERS.
This fixes out-of-bounds array writes when using more than 32
textures in a shader.
Also add some assertions to check array indexing elsewhere.
And change loop limits to be based on ARRAY_SIZE().
Signed-off-by: Brian Paul <brianp at vmware.com>
Reviewed-by: Roland Scheidegger <sroland at vmware.com>
Reviewed-By: Mike Blumenkrantz <michael.blumenkrantz at gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/17062>
---
src/gallium/frontends/lavapipe/lvp_execute.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/gallium/frontends/lavapipe/lvp_execute.c b/src/gallium/frontends/lavapipe/lvp_execute.c
index ff9c603daf8..abec51f448a 100644
--- a/src/gallium/frontends/lavapipe/lvp_execute.c
+++ b/src/gallium/frontends/lavapipe/lvp_execute.c
@@ -127,7 +127,7 @@ struct rendering_state {
struct pipe_vertex_buffer vb[PIPE_MAX_ATTRIBS];
struct cso_velems_state velem;
- struct pipe_sampler_view *sv[PIPE_SHADER_TYPES][PIPE_MAX_SAMPLERS];
+ struct pipe_sampler_view *sv[PIPE_SHADER_TYPES][PIPE_MAX_SHADER_SAMPLER_VIEWS];
int num_sampler_views[PIPE_SHADER_TYPES];
struct pipe_sampler_state ss[PIPE_SHADER_TYPES][PIPE_MAX_SAMPLERS];
/* cso_context api is stupid */
@@ -1129,6 +1129,7 @@ static void fill_sampler_view_stage(struct rendering_state *state,
fix_depth_swizzle_a(templ.swizzle_a);
}
+ assert(sv_idx < ARRAY_SIZE(state->sv[p_stage]));
if (state->sv[p_stage][sv_idx])
pipe_sampler_view_reference(&state->sv[p_stage][sv_idx], NULL);
state->sv[p_stage][sv_idx] = state->pctx->create_sampler_view(state->pctx, iv->image->bo, &templ);
@@ -1155,6 +1156,7 @@ static void fill_sampler_buffer_view_stage(struct rendering_state *state,
sv_idx += dyn_info->stage[stage].sampler_view_count;
struct lvp_buffer_view *bv = descriptor->buffer_view;
+ assert(sv_idx < ARRAY_SIZE(state->sv[p_stage]));
if (state->sv[p_stage][sv_idx])
pipe_sampler_view_reference(&state->sv[p_stage][sv_idx], NULL);
@@ -4021,7 +4023,7 @@ VkResult lvp_execute_cmds(struct lvp_device *device,
state->vp_dirty = true;
state->rs_state.point_tri_clip = true;
for (enum pipe_shader_type s = PIPE_SHADER_VERTEX; s < PIPE_SHADER_TYPES; s++) {
- for (unsigned i = 0; i < PIPE_MAX_SAMPLERS; i++)
+ for (unsigned i = 0; i < ARRAY_SIZE(state->cso_ss_ptr[s]); i++)
state->cso_ss_ptr[s][i] = &state->ss[s][i];
}
/* create a gallium context */
@@ -4030,20 +4032,21 @@ VkResult lvp_execute_cmds(struct lvp_device *device,
state->start_vb = -1;
state->num_vb = 0;
cso_unbind_context(queue->cso);
- for (unsigned i = 0; i < PIPE_MAX_SO_BUFFERS; i++) {
+ for (unsigned i = 0; i < ARRAY_SIZE(state->so_targets); i++) {
if (state->so_targets[i]) {
state->pctx->stream_output_target_destroy(state->pctx, state->so_targets[i]);
}
}
for (enum pipe_shader_type s = PIPE_SHADER_VERTEX; s < PIPE_SHADER_TYPES; s++) {
- for (unsigned i = 0; i < PIPE_MAX_SAMPLERS; i++) {
+ for (unsigned i = 0; i < ARRAY_SIZE(state->sv[s]); i++) {
if (state->sv[s][i])
pipe_sampler_view_reference(&state->sv[s][i], NULL);
}
}
- for (unsigned i = 0; i < PIPE_MAX_SAMPLERS; i++) {
+ for (unsigned i = 0;
+ i < ARRAY_SIZE(state->cso_ss_ptr[PIPE_SHADER_COMPUTE]); i++) {
if (state->cso_ss_ptr[PIPE_SHADER_COMPUTE][i])
state->pctx->delete_sampler_state(state->pctx, state->ss_cso[PIPE_SHADER_COMPUTE][i]);
}
More information about the mesa-commit
mailing list