From 700aeaf9c863ea545fe529c1a7fcbc8e87c9adb4 Mon Sep 17 00:00:00 2001 From: Eric Anholt Date: Tue, 8 Jan 2019 11:45:16 -0800 Subject: [PATCH] glsl: Fix buffer overflow with an atomic buffer binding out of range. The binding is checked against the limits later in the function, so we need to make sure we don't overflow before the check here. Fixes this valgrind warning (and sometimes segfault): ==1460== Invalid write of size 4 ==1460== at 0x74C98DD: ast_declarator_list::hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:4943) ==1460== by 0x74C054F: _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:159) ==1460== by 0x7435C12: _mesa_glsl_compile_shader (glsl_parser_extras.cpp:2130) in dEQP-GLES31.functional.debug.negative_coverage.get_error.compute. exceed_atomic_counters_limit Reviewed-by: Timothy Arceri --- src/compiler/glsl/ast_to_hir.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp index 8fdc189..611cfab 100644 --- a/src/compiler/glsl/ast_to_hir.cpp +++ b/src/compiler/glsl/ast_to_hir.cpp @@ -4940,7 +4940,8 @@ ast_declarator_list::hir(exec_list *instructions, && process_qualifier_constant(state, &loc, "offset", type->qualifier.offset, &qual_offset)) { - state->atomic_counter_offsets[qual_binding] = qual_offset; + if (qual_binding < ARRAY_SIZE(state->atomic_counter_offsets)) + state->atomic_counter_offsets[qual_binding] = qual_offset; } } -- 2.7.4