summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIago Toral Quiroga <itoral@igalia.com>2015-03-10 11:36:43 +0100
committerEmil Velikov <emil.l.velikov@gmail.com>2015-03-11 18:37:18 +0000
commit4de2f250830ec119d13153da4651a9c06079555e (patch)
tree26b67091ccde2213c0fd8f2325a21967c1b0b7f0
parentfbd06fe65c0fe57f0dea96c87d9f0eb5abc72bb7 (diff)
i965: Fix out-of-bounds accesses into pull_constant_loc array
The piglit test glsl-fs-uniform-array-loop-unroll.shader_test was designed to do an out of bounds access into an uniform array to make sure that we handle that situation gracefully inside the driver, however, as Ken describes in bug 79202, Valgrind reports that this is leading to an out-of-bounds access in fs_visitor::demote_pull_constants(). Before accessing the pull_constant_loc array we should make sure that the uniform we are trying to access is valid. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=79202 Reviewed-by: Matt Turner <mattst88@gmail.com> (cherry picked from commit 6ac1bc90c4a7a6f32901a9782e14b090f6fe5270) Nominated-by: Matt Turner <mattst88@gmail.com>
-rw-r--r--src/mesa/drivers/dri/i965/brw_fs.cpp9
1 files changed, 7 insertions, 2 deletions
diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
index 97568c129f8..1bbd84cd65a 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
@@ -2286,8 +2286,13 @@ fs_visitor::demote_pull_constants()
if (inst->src[i].file != UNIFORM)
continue;
- int pull_index = pull_constant_loc[inst->src[i].reg +
- inst->src[i].reg_offset];
+ int pull_index;
+ unsigned location = inst->src[i].reg + inst->src[i].reg_offset;
+ if (location >= uniforms) /* Out of bounds access */
+ pull_index = -1;
+ else
+ pull_index = pull_constant_loc[location];
+
if (pull_index == -1)
continue;