From c6f9a91015afa967987087cab8ce870a03868fb2 Mon Sep 17 00:00:00 2001
From: Brian Paul <brianp@vmware.com>
Date: Mon, 6 Jun 2022 15:06:49 -0600
Subject: [PATCH] llvmpipe: fix invalid memory used in lp_fs_linear_run

We were saving the address of the constants[] and nir_constants[]
arrays in the jit structure.  But those arrays went out of scope
before use.

This patch moves the constants[] array to the function scope and
consolidates the TGSI/NIR paths.

Signed-off-by: Brian Paul <brianp@vmware.com>
Reviewed-by: Roland Scheidegger <sroland@vmware.com>
cc: mesa-stable

Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/17062>
---
 src/gallium/drivers/llvmpipe/lp_linear.c | 42 ++++++++++++--------------------
 1 file changed, 15 insertions(+), 27 deletions(-)

diff --git a/src/gallium/drivers/llvmpipe/lp_linear.c b/src/gallium/drivers/llvmpipe/lp_linear.c
index a93de4a..c4a81ec 100644
--- a/src/gallium/drivers/llvmpipe/lp_linear.c
+++ b/src/gallium/drivers/llvmpipe/lp_linear.c
@@ -85,8 +85,7 @@ lp_fs_linear_run(const struct lp_rast_state *state,
 {
    const struct lp_fragment_shader_variant *variant = state->variant;
    const struct lp_tgsi_info *info = &variant->shader->info;
-   struct lp_jit_linear_context jit;
-   int nr_consts = info->base.file_max[TGSI_FILE_CONSTANT]+1;
+   uint8_t constants[LP_MAX_LINEAR_CONSTANTS * 4];
 
    LP_DBG(DEBUG_RAST, "%s\n", __FUNCTION__);
 
@@ -101,36 +100,25 @@ lp_fs_linear_run(const struct lp_rast_state *state,
 
    /* XXX: Per statechange:
     */
+   int nr_consts; // in floats, not float[4]
    if (variant->shader->base.type == PIPE_SHADER_IR_TGSI) {
-      uint8_t constants[LP_MAX_LINEAR_CONSTANTS][4];
-
-      for (int i = 0; i < nr_consts; i++) {
-         for (int j = 0; j < 4; j++) {
-            float val = state->jit_context.constants[0][i*4+j];
-            if (val < 0.0f || val > 1.0f) {
-               if (LP_DEBUG & DEBUG_LINEAR2)
-                  debug_printf("  -- const[%d] out of range %f\n", i, val);
-               goto fail;
-            }
-            constants[i][j] = (uint8_t)(val * 255.0f);
-         }
-      }
-      jit.constants = (const uint8_t (*)[4])constants;
+      nr_consts = (info->base.file_max[TGSI_FILE_CONSTANT] + 1) * 4;
    } else {
-      uint8_t nir_constants[LP_MAX_LINEAR_CONSTANTS * 4];
-
-      for (int i = 0; i < state->jit_context.num_constants[0]; i++){
-         float val = state->jit_context.constants[0][i];
-         if (val < 0.0f || val > 1.0f) {
-            if (LP_DEBUG & DEBUG_LINEAR2)
-               debug_printf("  -- const[%d] out of range %f\n", i, val);
-            goto fail;
-         }
-         nir_constants[i] = (uint8_t)(val * 255.0f);
+      nr_consts = state->jit_context.num_constants[0];
+   }
+   for (int i = 0; i < nr_consts; i++){
+      float val = state->jit_context.constants[0][i];
+      if (val < 0.0f || val > 1.0f) {
+         if (LP_DEBUG & DEBUG_LINEAR2)
+            debug_printf("  -- const[%d] out of range %f\n", i, val);
+         goto fail;
       }
-      jit.constants = (const uint8_t (*)[4])nir_constants;
+      constants[i] = (uint8_t)(val * 255.0f);
    }
 
+   struct lp_jit_linear_context jit;
+   jit.constants = (const uint8_t (*)[4])constants;
+
    /* We assume BGRA ordering */
    assert(variant->key.cbuf_format[0] == PIPE_FORMAT_B8G8R8X8_UNORM ||
           variant->key.cbuf_format[0] == PIPE_FORMAT_B8G8R8A8_UNORM);
-- 
2.7.4