summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEric Anholt <eric@anholt.net>2019-01-08 11:45:16 -0800
committerEric Anholt <eric@anholt.net>2019-01-08 15:44:58 -0800
commit700aeaf9c863ea545fe529c1a7fcbc8e87c9adb4 (patch)
treedc7c7dc1235199533b5ea003a8c8132b05389150
parent211b826790c499ba54e4cdf871b42e0b34b8f27d (diff)
downloadmesa-700aeaf9c863ea545fe529c1a7fcbc8e87c9adb4.tar.gz
mesa-700aeaf9c863ea545fe529c1a7fcbc8e87c9adb4.tar.bz2
mesa-700aeaf9c863ea545fe529c1a7fcbc8e87c9adb4.zip
glsl: Fix buffer overflow with an atomic buffer binding out of range.
The binding is checked against the limits later in the function, so we need to make sure we don't overflow before the check here. Fixes this valgrind warning (and sometimes segfault): ==1460== Invalid write of size 4 ==1460== at 0x74C98DD: ast_declarator_list::hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:4943) ==1460== by 0x74C054F: _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:159) ==1460== by 0x7435C12: _mesa_glsl_compile_shader (glsl_parser_extras.cpp:2130) in dEQP-GLES31.functional.debug.negative_coverage.get_error.compute. exceed_atomic_counters_limit Reviewed-by: Timothy Arceri <tarceri@itsqueeze.com>
-rw-r--r--src/compiler/glsl/ast_to_hir.cpp3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
index 8fdc1890ab0..611cfabbd03 100644
--- a/src/compiler/glsl/ast_to_hir.cpp
+++ b/src/compiler/glsl/ast_to_hir.cpp
@@ -4940,7 +4940,8 @@ ast_declarator_list::hir(exec_list *instructions,
&& process_qualifier_constant(state, &loc, "offset",
type->qualifier.offset,
&qual_offset)) {
- state->atomic_counter_offsets[qual_binding] = qual_offset;
+ if (qual_binding < ARRAY_SIZE(state->atomic_counter_offsets))
+ state->atomic_counter_offsets[qual_binding] = qual_offset;
}
}