summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Anholt <[email protected]>2019-01-08 11:45:16 -0800
committerEric Anholt <[email protected]>2019-01-08 15:44:58 -0800
commit700aeaf9c863ea545fe529c1a7fcbc8e87c9adb4 (patch)
treedc7c7dc1235199533b5ea003a8c8132b05389150
parent211b826790c499ba54e4cdf871b42e0b34b8f27d (diff)
glsl: Fix buffer overflow with an atomic buffer binding out of range.
The binding is checked against the limits later in the function, so we need to make sure we don't overflow before the check here. Fixes this valgrind warning (and sometimes segfault): ==1460== Invalid write of size 4 ==1460== at 0x74C98DD: ast_declarator_list::hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:4943) ==1460== by 0x74C054F: _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) (ast_to_hir.cpp:159) ==1460== by 0x7435C12: _mesa_glsl_compile_shader (glsl_parser_extras.cpp:2130) in dEQP-GLES31.functional.debug.negative_coverage.get_error.compute. exceed_atomic_counters_limit Reviewed-by: Timothy Arceri <[email protected]>
-rw-r--r--src/compiler/glsl/ast_to_hir.cpp3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
index 8fdc1890ab0..611cfabbd03 100644
--- a/src/compiler/glsl/ast_to_hir.cpp
+++ b/src/compiler/glsl/ast_to_hir.cpp
@@ -4940,7 +4940,8 @@ ast_declarator_list::hir(exec_list *instructions,
&& process_qualifier_constant(state, &loc, "offset",
type->qualifier.offset,
&qual_offset)) {
- state->atomic_counter_offsets[qual_binding] = qual_offset;
+ if (qual_binding < ARRAY_SIZE(state->atomic_counter_offsets))
+ state->atomic_counter_offsets[qual_binding] = qual_offset;
}
}