Module: Mesa Branch: master Commit: 565aa69970ccb0e92c9d5773c43d9b49e7bdb8e4 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=565aa69970ccb0e92c9d5773c43d9b49e7bdb8e4
Author: Kenneth Graunke <[email protected]> Date: Sat Feb 13 16:58:35 2016 -0800 glsl: Fix overflow of ImageAccess[] array. The ImageAccess array is statically sized to MAX_IMAGE_UNIFORMS: GLenum ImageAccess[MAX_IMAGE_UNIFORMS]; There was no bounds checking ensuring we don't overflow. Passing in a shader with too many uniforms would cause writes to extend into other fields, such as sh->NumImages. Later linker checks already handle reporting an error when there are too many images, so just avoid corrupting structures here. This rearranges the logic a bit to look more like the sampler case. Signed-off-by: Kenneth Graunke <[email protected]> Reviewed-by: Ilia Mirkin <[email protected]> Reviewed-by: Timothy Arceri <[email protected]> Reviewed-by: Jordan Justen <[email protected]> Tested-by: Jordan Justen <[email protected]> --- src/compiler/glsl/link_uniforms.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp index 7072c16..d18a2f2 100644 --- a/src/compiler/glsl/link_uniforms.cpp +++ b/src/compiler/glsl/link_uniforms.cpp @@ -649,15 +649,15 @@ private: current_var->data.image_write_only ? GL_WRITE_ONLY : GL_READ_WRITE); - for (unsigned j = 0; j < MAX2(1, uniform->array_elements); ++j) - prog->_LinkedShaders[shader_type]-> - ImageAccess[this->next_image + j] = access; + const unsigned first = this->next_image; /* Increment the image index by 1 for non-arrays and by the * number of array elements for arrays. */ this->next_image += MAX2(1, uniform->array_elements); + for (unsigned i = first; i < MIN2(next_image, MAX_IMAGE_UNIFORMS); i++) + prog->_LinkedShaders[shader_type]->ImageAccess[i] = access; } } _______________________________________________ mesa-commit mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/mesa-commit
