Mesa (main): gallivm: fix ssbo oob reads

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Tue May 10 21:08:02 UTC 2022 

Module: Mesa
Branch: main
Commit: aa98a90265ca9ec844f07b4b2a1d1e07fe33511a
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=aa98a90265ca9ec844f07b4b2a1d1e07fe33511a

Author: Mike Blumenkrantz <michael.blumenkrantz at gmail.com>
Date:   Fri Apr 22 13:52:22 2022 -0400

gallivm: fix ssbo oob reads

this was checking (offset < size) when really it needs to be
(offset < size && extent < size && offset >= 0)

Fixes: 591899eedd2 ("gallivm/nir: Add a short circuit uniform-offset mode for load_ssbo/load_shared.")

Reviewed-by: Dave Airlie <airlied at redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/16137>

---

 src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c b/src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c
index e31faf57707..1ab759508e0 100644
--- a/src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c
+++ b/src/gallium/auxiliary/gallivm/lp_bld_nir_soa.c
@@ -1181,9 +1181,12 @@ static void emit_load_mem(struct lp_build_nir_context *bld_base,
             LLVMValueRef res_store = lp_build_alloca(gallivm, LLVMTypeOf(zero), "");
             LLVMBuildStore(builder, zero, res_store);
 
-            LLVMValueRef fetch_cond = LLVMBuildICmp(gallivm->builder, LLVMIntUGE, ssbo_limit, chan_offset, "");
+            LLVMValueRef fetch_extent = LLVMBuildAdd(builder, chan_offset, lp_build_const_int32(gallivm, 1), "");
+            LLVMValueRef fetch_cond = LLVMBuildICmp(gallivm->builder, LLVMIntUGE, ssbo_limit, fetch_extent, "");
+            LLVMValueRef fetch_cond2 = LLVMBuildICmp(gallivm->builder, LLVMIntSGE, chan_offset, lp_build_const_int32(gallivm, 0), "");
+            LLVMValueRef fetch_cond_final = LLVMBuildAnd(gallivm->builder, fetch_cond, fetch_cond2, "");
             struct lp_build_if_state ifthen;
-            lp_build_if(&ifthen, gallivm, fetch_cond);
+            lp_build_if(&ifthen, gallivm, fetch_cond_final);
             LLVMBuildStore(builder, lp_build_pointer_get(builder, mem_ptr, chan_offset), res_store);
             lp_build_endif(&ifthen);

More information about the mesa-commit mailing list