From f2b17dec1208423061309e0e03ba32b2c5566ace Mon Sep 17 00:00:00 2001
From: Danylo Piliaiev <danylo.piliaiev@globallogic.com>
Date: Fri, 21 Aug 2020 17:21:14 +0300
Subject: [PATCH] nir/lower_samplers: Clamp out-of-bounds access to array of
 samplers

Section 5.11 (Out-of-Bounds Accesses) of the GLSL 4.60 spec says:

"In the subsections described above for array, vector, matrix and
 structure accesses, any out-of-bounds access produced undefined
 behavior.... Out-of-bounds reads return undefined values, which
 include values from other variables of the active program or zero."

Robustness extensions suggest to return zero on out-of-bounds
accesses, however it's not applicable to the arrays of samplers,
so just clamp the index.

Otherwise instr->sampler_index or instr->texture_index would be out
of bounds, and they are used as an index to arrays of driver state.

E.g. this fixes such dereference:
 if (options->lower_tex_packing[tex->sampler_index] !=
in nir_lower_tex.c

CC: <mesa-stable@lists.freedesktop.org>
Signed-off-by: Danylo Piliaiev <danylo.piliaiev@globallogic.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6428>
---
 src/compiler/nir/nir_lower_samplers.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/compiler/nir/nir_lower_samplers.c b/src/compiler/nir/nir_lower_samplers.c
index 3eb69bc..48e28c9 100644
--- a/src/compiler/nir/nir_lower_samplers.c
+++ b/src/compiler/nir/nir_lower_samplers.c
@@ -47,7 +47,27 @@ lower_tex_src_to_offset(nir_builder *b,
 
       if (nir_src_is_const(deref->arr.index) && index == NULL) {
          /* We're still building a direct index */
-         base_index += nir_src_as_uint(deref->arr.index) * array_elements;
+         unsigned index_in_array = nir_src_as_uint(deref->arr.index);
+
+         /* Section 5.11 (Out-of-Bounds Accesses) of the GLSL 4.60 spec says:
+          *
+          *    In the subsections described above for array, vector, matrix and
+          *    structure accesses, any out-of-bounds access produced undefined
+          *    behavior.... Out-of-bounds reads return undefined values, which
+          *    include values from other variables of the active program or zero.
+          *
+          * Robustness extensions suggest to return zero on out-of-bounds
+          * accesses, however it's not applicable to the arrays of samplers,
+          * so just clamp the index.
+          *
+          * Otherwise instr->sampler_index or instr->texture_index would be out
+          * of bounds, and they are used as an index to arrays of driver state.
+          */
+         if (index_in_array < glsl_array_size(parent->type)) {
+            base_index += index_in_array * array_elements;
+         } else {
+            base_index = glsl_array_size(parent->type) - 1;
+         }
       } else {
          if (index == NULL) {
             /* We used to be direct but not anymore */
-- 
2.7.4