glsl: Fix overflow of ImageAccess[] array.

The ImageAccess array is statically sized to MAX_IMAGE_UNIFORMS:

   GLenum ImageAccess[MAX_IMAGE_UNIFORMS];

There was no bounds checking ensuring we don't overflow.  Passing in a
shader with too many uniforms would cause writes to extend into other
fields, such as sh->NumImages.

Later linker checks already handle reporting an error when there are too
many images, so just avoid corrupting structures here.

This rearranges the logic a bit to look more like the sampler case.

Signed-off-by: Kenneth Graunke <kenneth@whitecape.org>
Reviewed-by: Ilia Mirkin <imirkin@alum.mit.edu>
Reviewed-by: Timothy Arceri <timothy.arceri@collabora.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Tested-by: Jordan Justen <jordan.l.justen@intel.com>

diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp
index 7072c16..d18a2f2 100644 (file)
--- a/src/compiler/glsl/link_uniforms.cpp
+++ b/src/compiler/glsl/link_uniforms.cpp
@@ -649,15 +649,15 @@ private:
              current_var->data.image_write_only ? GL_WRITE_ONLY :
                 GL_READ_WRITE);
 
-         for (unsigned j = 0; j < MAX2(1, uniform->array_elements); ++j)
-            prog->_LinkedShaders[shader_type]->
-               ImageAccess[this->next_image + j] = access;
+         const unsigned first = this->next_image;
 
          /* Increment the image index by 1 for non-arrays and by the
           * number of array elements for arrays.
           */
          this->next_image += MAX2(1, uniform->array_elements);
 
+         for (unsigned i = first; i < MIN2(next_image, MAX_IMAGE_UNIFORMS); i++)
+            prog->_LinkedShaders[shader_type]->ImageAccess[i] = access;
       }
    }