[Mesa-dev] [PATCH] spirv: Avoid out of bounds access to nir src array.
Jason Ekstrand
jason at jlekstrand.net
Fri Jun 3 18:35:35 UTC 2016
On Jun 3, 2016 11:29 AM, "Kenneth Graunke" <kenneth at whitecape.org> wrote:
>
> On Friday, June 3, 2016 10:28:34 AM PDT Jason Ekstrand wrote:
> > On Jun 3, 2016 8:43 AM, <robert.foss at collabora.com> wrote:
> > >
> > > From: Robert Foss <robert.foss at collabora.com>
> > >
> > > Avoid out of bounds access of the array 'src'.
> > >
> > > 'src' is passed along:
> > > nir_eval_const_opcode()
> > > evaluate_bitfield_insert()
> > >
> > > In evaluate_bitfield_insert() an access to src[3] is made
> > > if bit_size==32 wich it always will be due to the
> > > assert(bit_size == 32) on spirv_to_nir.c:1045.
> > >
> > > Since 'src' is of length 3, this is out of bounds.
> > >
> > > Coverity id: 1358582
> > >
> > > Signed-off-by: Robert Foss <robert.foss at collabora.com>
> > > ---
> > > src/compiler/spirv/spirv_to_nir.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/src/compiler/spirv/spirv_to_nir.c
> > b/src/compiler/spirv/spirv_to_nir.c
> > > index 99514b4..46ede6a 100644
> > > --- a/src/compiler/spirv/spirv_to_nir.c
> > > +++ b/src/compiler/spirv/spirv_to_nir.c
> > > @@ -1035,7 +1035,7 @@ vtn_handle_constant(struct vtn_builder *b, SpvOp
> > opcode,
> > > unsigned bit_size =
> > > glsl_get_bit_size(glsl_get_base_type(val->const_type));
> > >
> > > - nir_const_value src[3];
> > > + nir_const_value src[4];
> >
> > None of the Opcode's evaluated as specialization constants have four
> > sources so this will never be a problem. Hence the assert on the next
> > line. I think we should just mark this as a false positive.
> >
> > > assert(count <= 7);
> > > for (unsigned i = 0; i < count - 4; i++) {
> > > nir_constant *c =
>
> Would promoting assert(count <= 7) to assume(count <= 7) make Coverity
> happy? (CC'd Matt, he'd probably know...)
I thought about that but I doubt it. What coverity really needs to know is
that it will never get any 4-src opcodes which isn't really clear from
count.
> --Ken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20160603/cdf32e66/attachment.html>
More information about the mesa-dev
mailing list