[Mesa-dev] [PATCH] i965: Fix out-of-bounds accesses into pull_constant_loc array
Ian Romanick
idr at freedesktop.org
Wed Mar 11 10:10:04 PDT 2015
Given the age of this bug, should this be a candidate for 10.4 and 10.5
stable branches?
On 03/10/2015 03:36 AM, Iago Toral Quiroga wrote:
> The piglit test glsl-fs-uniform-array-loop-unroll.shader_test was designed
> to do an out of bounds access into an uniform array to make sure that we
> handle that situation gracefully inside the driver, however, as Ken describes
> in bug 79202, Valgrind reports that this is leading to an out-of-bounds access
> in fs_visitor::demote_pull_constants().
>
> Before accessing the pull_constant_loc array we should make sure that
> the uniform we are trying to access is valid.
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=79202
> ---
> src/mesa/drivers/dri/i965/brw_fs.cpp | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
> index 89754ad..6d7cf0e 100644
> --- a/src/mesa/drivers/dri/i965/brw_fs.cpp
> +++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
> @@ -2281,8 +2281,13 @@ fs_visitor::demote_pull_constants()
> if (inst->src[i].file != UNIFORM)
> continue;
>
> - int pull_index = pull_constant_loc[inst->src[i].reg +
> - inst->src[i].reg_offset];
> + int pull_index;
> + unsigned location = inst->src[i].reg + inst->src[i].reg_offset;
> + if (location >= uniforms) /* Out of bounds access */
> + pull_index = -1;
> + else
> + pull_index = pull_constant_loc[location];
> +
> if (pull_index == -1)
> continue;
>
More information about the mesa-dev
mailing list