[Mesa-dev] [PATCH] glsl: avoid stack smashing when there are too many attributes

Timothy Arceri timothy.arceri at collabora.com
Mon Mar 7 03:36:13 UTC 2016


On Sun, 2016-03-06 at 12:21 -0500, Ilia Mirkin wrote:
> This fixes a crash in
> 
> dEQP-
> GLES3.functional.transform_feedback.array_element.separate.points.low
> p_mat3x2
> 
> and likely others. The vertex shader has > 16 input variables
> (without
> explicit locations), which causes us to index outside of the
> to_assign
> array.
> 
> Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
> Cc: "11.1 11.2" <mesa-stable at lists.freedesktop.org>
> ---
> 
> Not sure if this is the right thing or whether we should be making
> the to_assign array dynamically resizable. This definitely fixes the
> crashes though.

Fixing the crash seems like a good first step. I think we should also
say if its vs inputs or fs outputs in the error message. With that
change:

Reviewed-by: Timothy Arceri <timothy.arceri at collabora.com>

> 
>  src/compiler/glsl/linker.cpp | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/src/compiler/glsl/linker.cpp
> b/src/compiler/glsl/linker.cpp
> index 3039232..f0d8507 100644
> --- a/src/compiler/glsl/linker.cpp
> +++ b/src/compiler/glsl/linker.cpp
> @@ -2625,6 +2625,11 @@
> assign_attribute_or_color_locations(gl_shader_program *prog,
>  	 continue;
>        }
>  
> +      if (num_attr >= ARRAY_SIZE(to_assign)) {
> +         linker_error(prog, "too many attributes (max %zu)",
> +                      ARRAY_SIZE(to_assign));
> +         return false;
> +      }
>        to_assign[num_attr].slots = slots;
>        to_assign[num_attr].var = var;
>        num_attr++;


More information about the mesa-dev mailing list