[Mesa-dev] [PATCH] glsl: avoid stack smashing when there are too many attributes
Iago Toral
itoral at igalia.com
Tue Mar 8 14:54:48 UTC 2016
On Sun, 2016-03-06 at 12:21 -0500, Ilia Mirkin wrote:
> This fixes a crash in
>
> dEQP-GLES3.functional.transform_feedback.array_element.separate.points.lowp_mat3x2
>
> and likely others. The vertex shader has > 16 input variables (without
> explicit locations), which causes us to index outside of the to_assign
> array.
>
> Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
> Cc: "11.1 11.2" <mesa-stable at lists.freedesktop.org>
> ---
>
> Not sure if this is the right thing or whether we should be making the to_assign array dynamically resizable. This definitely fixes the crashes though.
FWIW, I had sent a similar patch about a year ago to fix this:
https://lists.freedesktop.org/archives/mesa-dev/2015-July/090121.html
Not sure that it is any better...
> src/compiler/glsl/linker.cpp | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/src/compiler/glsl/linker.cpp b/src/compiler/glsl/linker.cpp
> index 3039232..f0d8507 100644
> --- a/src/compiler/glsl/linker.cpp
> +++ b/src/compiler/glsl/linker.cpp
> @@ -2625,6 +2625,11 @@ assign_attribute_or_color_locations(gl_shader_program *prog,
> continue;
> }
>
> + if (num_attr >= ARRAY_SIZE(to_assign)) {
> + linker_error(prog, "too many attributes (max %zu)",
> + ARRAY_SIZE(to_assign));
> + return false;
> + }
> to_assign[num_attr].slots = slots;
> to_assign[num_attr].var = var;
> num_attr++;
More information about the mesa-dev
mailing list