<p dir="ltr"><br>
On Jun 3, 2016 8:43 AM, <<a href="mailto:robert.foss@collabora.com">robert.foss@collabora.com</a>> wrote:<br>
><br>
> From: Robert Foss <<a href="mailto:robert.foss@collabora.com">robert.foss@collabora.com</a>><br>
><br>
> Avoid out of bounds access of the array 'src'.<br>
><br>
> 'src' is passed along:<br>
> nir_eval_const_opcode()<br>
> evaluate_bitfield_insert()<br>
><br>
> In evaluate_bitfield_insert() an access to src[3] is made<br>
> if bit_size==32 wich it always will be due to the<br>
> assert(bit_size == 32) on spirv_to_nir.c:1045.<br>
><br>
> Since 'src' is of length 3, this is out of bounds.<br>
><br>
> Coverity id: 1358582<br>
><br>
> Signed-off-by: Robert Foss <<a href="mailto:robert.foss@collabora.com">robert.foss@collabora.com</a>><br>
> ---<br>
> src/compiler/spirv/spirv_to_nir.c | 2 +-<br>
> 1 file changed, 1 insertion(+), 1 deletion(-)<br>
><br>
> diff --git a/src/compiler/spirv/spirv_to_nir.c b/src/compiler/spirv/spirv_to_nir.c<br>
> index 99514b4..46ede6a 100644<br>
> --- a/src/compiler/spirv/spirv_to_nir.c<br>
> +++ b/src/compiler/spirv/spirv_to_nir.c<br>
> @@ -1035,7 +1035,7 @@ vtn_handle_constant(struct vtn_builder *b, SpvOp opcode,<br>
> unsigned bit_size =<br>
> glsl_get_bit_size(glsl_get_base_type(val->const_type));<br>
><br>
> - nir_const_value src[3];<br>
> + nir_const_value src[4];</p>
<p dir="ltr">None of the Opcode's evaluated as specialization constants have four sources so this will never be a problem. Hence the assert on the next line. I think we should just mark this as a false positive.</p>
<p dir="ltr">> assert(count <= 7);<br>
> for (unsigned i = 0; i < count - 4; i++) {<br>
> nir_constant *c =<br>
> --<br>
> 2.7.4<br>
><br>
> _______________________________________________<br>
> mesa-dev mailing list<br>
> <a href="mailto:mesa-dev@lists.freedesktop.org">mesa-dev@lists.freedesktop.org</a><br>
> <a href="https://lists.freedesktop.org/mailman/listinfo/mesa-dev">https://lists.freedesktop.org/mailman/listinfo/mesa-dev</a><br>
</p>