[Mesa-dev] [PATCH] spirv: Avoid out of bounds access to nir src array.

Kenneth Graunke kenneth at whitecape.org
Fri Jun 3 18:29:44 UTC 2016


On Friday, June 3, 2016 10:28:34 AM PDT Jason Ekstrand wrote:
> On Jun 3, 2016 8:43 AM, <robert.foss at collabora.com> wrote:
> >
> > From: Robert Foss <robert.foss at collabora.com>
> >
> > Avoid out of bounds access of the array 'src'.
> >
> > 'src' is passed along:
> >     nir_eval_const_opcode()
> >     evaluate_bitfield_insert()
> >
> > In evaluate_bitfield_insert() an access to src[3] is made
> > if bit_size==32 wich it always will be due to the
> > assert(bit_size == 32) on spirv_to_nir.c:1045.
> >
> > Since 'src' is of length 3, this is out of bounds.
> >
> > Coverity id: 1358582
> >
> > Signed-off-by: Robert Foss <robert.foss at collabora.com>
> > ---
> >  src/compiler/spirv/spirv_to_nir.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/src/compiler/spirv/spirv_to_nir.c
> b/src/compiler/spirv/spirv_to_nir.c
> > index 99514b4..46ede6a 100644
> > --- a/src/compiler/spirv/spirv_to_nir.c
> > +++ b/src/compiler/spirv/spirv_to_nir.c
> > @@ -1035,7 +1035,7 @@ vtn_handle_constant(struct vtn_builder *b, SpvOp
> opcode,
> >           unsigned bit_size =
> >              glsl_get_bit_size(glsl_get_base_type(val->const_type));
> >
> > -         nir_const_value src[3];
> > +         nir_const_value src[4];
> 
> None of the Opcode's evaluated as specialization constants have four
> sources so this will never be a problem.  Hence the assert on the next
> line.  I think we should just mark this as a false positive.
> 
> >           assert(count <= 7);
> >           for (unsigned i = 0; i < count - 4; i++) {
> >              nir_constant *c =

Would promoting assert(count <= 7) to assume(count <= 7) make Coverity
happy?  (CC'd Matt, he'd probably know...)

--Ken
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20160603/0fbb1d42/attachment.sig>


More information about the mesa-dev mailing list