[Mesa-dev] [PATCH] glsl: Fix overflow of ImageAccess[] array.

[Kenneth Graunke]

The ImageAccess array is statically sized to MAX_IMAGE_UNIFORMS:

   GLenum ImageAccess[MAX_IMAGE_UNIFORMS];

There was no bounds checking ensuring we don't overflow.  Passing in a
shader with too many uniforms would cause writes to extend into other
fields, such as sh->NumImages.

Later linker checks already handle reporting an error when there are too
many images, so just avoid corrupting structures here.

This rearranges the logic a bit to look more like the sampler case.

Signed-off-by: Kenneth Graunke <kenneth at whitecape.org>
---
 src/compiler/glsl/link_uniforms.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp
index 7072c16..f08ca47 100644
--- a/src/compiler/glsl/link_uniforms.cpp
+++ b/src/compiler/glsl/link_uniforms.cpp
@@ -649,15 +649,15 @@ private:
              current_var->data.image_write_only ? GL_WRITE_ONLY :
                 GL_READ_WRITE);
 
-         for (unsigned j = 0; j < MAX2(1, uniform->array_elements); ++j)
-            prog->_LinkedShaders[shader_type]->
-               ImageAccess[this->next_image + j] = access;
+         const unsigned first = this->next_image;
 
          /* Increment the image index by 1 for non-arrays and by the
           * number of array elements for arrays.
           */
          this->next_image += MAX2(1, uniform->array_elements);
 
+         for (unsigned i = first; i < MIN2(next_image, MAX_IMAGE_UNIFORMS); i++)
+            prog->_LinkedShaders[shader_type]-> ImageAccess[i] = access;
       }
    }
 
-- 
2.7.1