nir/unsigned_upper_bound: fix buffer overflow in search_phi_bcsel

It should only recurse if there's enough space to add the phi sources. Signed-off-by: Rhys Perry <pendingchaos02@gmail.com> Reviewed-by: Daniel Schürmann <daniel@schuermann.dev> Fixes: 72ac3f60261 ("nir: add nir_unsigned_upper_bound and nir_addition_might_overflow") Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/7748> (cherry picked from commit 65fbae16e37b5f349a0d0feb8d54ba132a1f02f4)
author: Rhys Perry <pendingchaos02@gmail.com> 2020-11-24 10:52:56 +0000
committer: Dylan Baker <dylan.c.baker@intel.com> 2020-12-01 09:12:32 -0800
commit: bfb711b20990b2aae2006f6f8857bfdf566761f4 (patch)
tree: 1b0af7d605f658d5a491ef79d921e694ced49f58
parent: 9c6e0fb47615d380f3d1202a6718d2781af79197 (diff)
2 files changed, 12 insertions, 9 deletions
diff --git a/.pick_status.json b/.pick_status.json
index 28d6e2c9475..304b38574e8 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -2416,7 +2416,7 @@
         "description": "nir/unsigned_upper_bound: fix buffer overflow in search_phi_bcsel",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "master_sha": null,
         "because_sha": "72ac3f60261a8510512861b93e843e695331e2ab"
     },
diff --git a/src/compiler/nir/nir_range_analysis.c b/src/compiler/nir/nir_range_analysis.c
index e23c7c4fdb7..04449a91232 100644
--- a/src/compiler/nir/nir_range_analysis.c
+++ b/src/compiler/nir/nir_range_analysis.c
@@ -1102,6 +1102,7 @@ static uint64_t mul_clamp(uint32_t a, uint32_t b)
       return a * b;
 }
 
+/* recursively gather at most "buf_size" phi/bcsel sources */
 static unsigned
 search_phi_bcsel(nir_ssa_scalar scalar, nir_ssa_scalar *buf, unsigned buf_size, struct set *visited)
 {
@@ -1112,15 +1113,17 @@ search_phi_bcsel(nir_ssa_scalar scalar, nir_ssa_scalar *buf, unsigned buf_size,
    if (scalar.def->parent_instr->type == nir_instr_type_phi) {
       nir_phi_instr *phi = nir_instr_as_phi(scalar.def->parent_instr);
       unsigned num_sources_left = exec_list_length(&phi->srcs);
-      unsigned total_added = 0;
-      nir_foreach_phi_src(src, phi) {
-         unsigned added = search_phi_bcsel(
-            (nir_ssa_scalar){src->src.ssa, 0}, buf + total_added, buf_size - num_sources_left, visited);
-         buf_size -= added;
-         total_added += added;
-         num_sources_left--;
+      if (buf_size >= num_sources_left) {
+         unsigned total_added = 0;
+         nir_foreach_phi_src(src, phi) {
+            unsigned added = search_phi_bcsel(
+               (nir_ssa_scalar){src->src.ssa, 0}, buf + total_added, buf_size - num_sources_left, visited);
+            buf_size -= added;
+            total_added += added;
+            num_sources_left--;
+         }
+         return total_added;
       }
-      return total_added;
    }
 
    if (nir_ssa_scalar_is_alu(scalar)) {
author	Rhys Perry <pendingchaos02@gmail.com>	2020-11-24 10:52:56 +0000
committer	Dylan Baker <dylan.c.baker@intel.com>	2020-12-01 09:12:32 -0800
commit	bfb711b20990b2aae2006f6f8857bfdf566761f4 (patch)
tree	1b0af7d605f658d5a491ef79d921e694ced49f58
parent	9c6e0fb47615d380f3d1202a6718d2781af79197 (diff)