nir/spirv: fix build_mat4_det stack smasher

When generating a sub-determinate matrix, a 3-element swizzle array was indexed with clever inline boolean logic. Unfortunately, when i and j are both 3, the index overruns the array, smashing the next variable on the stack. For 64 bit builds, the alignment of the 3-element unsigned array leaves 32 bits of spacing before the next local variable, hiding this bug. On i386, a subcolumn pointer was smashed then dereferenced.
author: Mark Janes <[email protected]> 2016-02-02 15:30:54 -0800
committer: Mark Janes <[email protected]> 2016-02-02 15:30:54 -0800
commit: 6a7e2904e0a2a6f8efbf739a1b3cad7e1e4ab42d (patch)
tree: 30e8a4636e16847dd2faa638ff9b7fe1f37ce0e0
parent: ea8c2d118a8c9645bedc86259ba42968ac27c239 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/glsl/nir/spirv/vtn_glsl450.c b/src/glsl/nir/spirv/vtn_glsl450.c
index 9c82c07894a..bc38aa4b1be 100644
--- a/src/glsl/nir/spirv/vtn_glsl450.c
+++ b/src/glsl/nir/spirv/vtn_glsl450.c
@@ -68,8 +68,11 @@ build_mat4_det(nir_builder *b, nir_ssa_def **col)
    nir_ssa_def *subdet[4];
    for (unsigned i = 0; i < 4; i++) {
       unsigned swiz[3];
-      for (unsigned j = 0; j < 4; j++)
-         swiz[j - (j > i)] = j;
+      for (unsigned j = 0, k = 0; j < 3; j++, k++) {
+         if (k == i)
+            k++; /* skip column */
+         swiz[j] = k;
+      }
 
       nir_ssa_def *subcol[3];
       subcol[0] = nir_swizzle(b, col[1], swiz, 3, true);
author	Mark Janes <[email protected]>	2016-02-02 15:30:54 -0800
committer	Mark Janes <[email protected]>	2016-02-02 15:30:54 -0800
commit	6a7e2904e0a2a6f8efbf739a1b3cad7e1e4ab42d (patch)
tree	30e8a4636e16847dd2faa638ff9b7fe1f37ce0e0
parent	ea8c2d118a8c9645bedc86259ba42968ac27c239 (diff)