From 4da6cf6c98aeca8c143ecb5e0ada5e1eee81a0f5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Nicolai=20H=C3=A4hnle?= <nicolai.haehnle@amd.com>
Date: Thu, 24 Aug 2017 15:41:08 +0200
Subject: [PATCH] glsl: fix glsl_struct_field size calculations for shader
 cache

Found by address sanitizer:

==22621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000cbd8 at pc 0x7f561610a4ff bp 0x7ffca85f9d50 sp 0x7ffca85f94f8
READ of size 344 at 0x61400000cbd8 thread T0
    #0 0x7f561610a4fe  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5f4fe)
    #1 0x7f560bb305a5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x7f560bb305a5 in blob_write_bytes ../../../mesa-src/src/compiler/glsl/blob.c:136
    #3 0x7f560be7d7ff in encode_type_to_blob ../../../mesa-src/src/compiler/glsl/shader_cache.cpp:153
    #4 0x7f560be81222 in write_program_resource_data ../../../mesa-src/src/compiler/glsl/shader_cache.cpp:950
    #5 0x7f560be81222 in write_program_resource_list ../../../mesa-src/src/compiler/glsl/shader_cache.cpp:1118
    #6 0x7f560be81222 in shader_cache_write_program_metadata(gl_context*, gl_shader_program*) ../../../mesa-src/src/compiler/glsl/shader_cache.cpp:1407
    #7 0x7f560b825fdb in link_program ../../../mesa-src/src/mesa/main/shaderapi.c:1163

Fixes: 073a84ff60db ("glsl: stop adding pointers from glsl_struct_field to the cache")
Reviewed-by: Timothy Arceri <tarceri@itsqueeze.com>
---
 src/compiler/glsl/shader_cache.cpp | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/compiler/glsl/shader_cache.cpp b/src/compiler/glsl/shader_cache.cpp
index 3af14be..a6e9982 100644
--- a/src/compiler/glsl/shader_cache.cpp
+++ b/src/compiler/glsl/shader_cache.cpp
@@ -76,10 +76,9 @@ compile_shaders(struct gl_context *ctx, struct gl_shader_program *prog) {
 
 static void
 get_struct_type_field_and_pointer_sizes(size_t *s_field_size,
-                                        size_t *s_field_ptrs,
-                                        unsigned num_fields)
+                                        size_t *s_field_ptrs)
 {
-   *s_field_size = sizeof(glsl_struct_field) * num_fields;
+   *s_field_size = sizeof(glsl_struct_field);
    *s_field_ptrs =
      sizeof(((glsl_struct_field *)0)->type) +
      sizeof(((glsl_struct_field *)0)->name);
@@ -140,8 +139,7 @@ encode_type_to_blob(struct blob *blob, const glsl_type *type)
       blob_write_uint32(blob, type->length);
 
       size_t s_field_size, s_field_ptrs;
-      get_struct_type_field_and_pointer_sizes(&s_field_size, &s_field_ptrs,
-                                              type->length);
+      get_struct_type_field_and_pointer_sizes(&s_field_size, &s_field_ptrs);
 
       for (unsigned i = 0; i < type->length; i++) {
          encode_type_to_blob(blob, type->fields.structure[i].type);
@@ -213,8 +211,7 @@ decode_type_from_blob(struct blob_reader *blob)
       unsigned num_fields = blob_read_uint32(blob);
 
       size_t s_field_size, s_field_ptrs;
-      get_struct_type_field_and_pointer_sizes(&s_field_size, &s_field_ptrs,
-                                              num_fields);
+      get_struct_type_field_and_pointer_sizes(&s_field_size, &s_field_ptrs);
 
       glsl_struct_field *fields =
          (glsl_struct_field *) malloc(s_field_size * num_fields);
-- 
2.7.4