Module: Mesa Branch: main Commit: f440e8267985bc2a65214e11103367e2922bba3f URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=f440e8267985bc2a65214e11103367e2922bba3f
Author: Rhys Perry <[email protected]> Date: Wed Sep 27 13:00:21 2023 +0100 ac/nir: fix out-of-bounds access in ac_nir_export_position These accesses (and similar) in ac_nir_exprot_position were out-of-bounds: if (!outputs[VARYING_SLOT_PSIZ][0]) outputs_written &= ~VARYING_BIT_PSIZ; I don't think this caused any real issue, but this silences ASan: ==40091==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f8ffa6b1cb8 at pc 0x7f900da99068 bp 0x7f8ffb8871d0 sp 0x7f8ffb8871c8 Signed-off-by: Rhys Perry <[email protected]> Reviewed-by: Samuel Pitoiset <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25432> --- src/amd/common/ac_nir_lower_ngg.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/amd/common/ac_nir_lower_ngg.c b/src/amd/common/ac_nir_lower_ngg.c index 5cc8c620fa9..ec051eaf1ac 100644 --- a/src/amd/common/ac_nir_lower_ngg.c +++ b/src/amd/common/ac_nir_lower_ngg.c @@ -2360,11 +2360,14 @@ export_pos0_wait_attr_ring(nir_builder *b, nir_if *if_es_thread, nir_def *output /* Export just the pos0 output. */ nir_if *if_export_empty_pos = nir_push_if(b, if_es_thread->condition.ssa); { + nir_def *pos_output_array[VARYING_SLOT_MAX][4] = {0}; + memcpy(pos_output_array[VARYING_SLOT_POS], pos_output.chan, sizeof(pos_output.chan)); + ac_nir_export_position(b, options->gfx_level, options->clipdist_enable_mask, !options->has_param_exports, options->force_vrs, true, - VARYING_BIT_POS, &pos_output.chan); + VARYING_BIT_POS, pos_output_array); } nir_pop_if(b, if_export_empty_pos); }
