[Mesa-dev] [PATCH] spirv_to_nir: Avoid out of bounds access to nir src array.

robert.foss at collabora.com robert.foss at collabora.com
Thu Apr 21 21:46:48 UTC 2016


From: Robert Foss <robert.foss at collabora.com>

Avoid out of bounds access of the array 'src'.

'src' is passed along:
    nir_eval_const_opcode()
    evaluate_bitfield_insert()

In evaluate_bitfield_insert() an access to src[3] is made
if bit_size==32 wich it always will be due to the
assert(bit_size == 32) on spirv_to_nir.c:1045.

Since 'src' is of length 3, this is out of bounds.

Coverity id: 1358582
Signed-off-by: Robert Foss <robert.foss at collabora.com>
---
 src/compiler/spirv/spirv_to_nir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/compiler/spirv/spirv_to_nir.c b/src/compiler/spirv/spirv_to_nir.c
index 99514b4..46ede6a 100644
--- a/src/compiler/spirv/spirv_to_nir.c
+++ b/src/compiler/spirv/spirv_to_nir.c
@@ -1035,7 +1035,7 @@ vtn_handle_constant(struct vtn_builder *b, SpvOp opcode,
          unsigned bit_size =
             glsl_get_bit_size(glsl_get_base_type(val->const_type));
 
-         nir_const_value src[3];
+         nir_const_value src[4];
          assert(count <= 7);
          for (unsigned i = 0; i < count - 4; i++) {
             nir_constant *c =
-- 
2.5.0



More information about the mesa-dev mailing list