Module: Mesa Branch: master Commit: f2b17dec1208423061309e0e03ba32b2c5566ace URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=f2b17dec1208423061309e0e03ba32b2c5566ace
Author: Danylo Piliaiev <[email protected]> Date: Fri Aug 21 17:21:14 2020 +0300 nir/lower_samplers: Clamp out-of-bounds access to array of samplers Section 5.11 (Out-of-Bounds Accesses) of the GLSL 4.60 spec says: "In the subsections described above for array, vector, matrix and structure accesses, any out-of-bounds access produced undefined behavior.... Out-of-bounds reads return undefined values, which include values from other variables of the active program or zero." Robustness extensions suggest to return zero on out-of-bounds accesses, however it's not applicable to the arrays of samplers, so just clamp the index. Otherwise instr->sampler_index or instr->texture_index would be out of bounds, and they are used as an index to arrays of driver state. E.g. this fixes such dereference: if (options->lower_tex_packing[tex->sampler_index] != in nir_lower_tex.c CC: <[email protected]> Signed-off-by: Danylo Piliaiev <[email protected]> Reviewed-by: Eric Anholt <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6428> --- src/compiler/nir/nir_lower_samplers.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/compiler/nir/nir_lower_samplers.c b/src/compiler/nir/nir_lower_samplers.c index 3eb69bcd5de..48e28c933b3 100644 --- a/src/compiler/nir/nir_lower_samplers.c +++ b/src/compiler/nir/nir_lower_samplers.c @@ -47,7 +47,27 @@ lower_tex_src_to_offset(nir_builder *b, if (nir_src_is_const(deref->arr.index) && index == NULL) { /* We're still building a direct index */ - base_index += nir_src_as_uint(deref->arr.index) * array_elements; + unsigned index_in_array = nir_src_as_uint(deref->arr.index); + + /* Section 5.11 (Out-of-Bounds Accesses) of the GLSL 4.60 spec says: + * + * In the subsections described above for array, vector, matrix and + * structure accesses, any out-of-bounds access produced undefined + * behavior.... Out-of-bounds reads return undefined values, which + * include values from other variables of the active program or zero. + * + * Robustness extensions suggest to return zero on out-of-bounds + * accesses, however it's not applicable to the arrays of samplers, + * so just clamp the index. + * + * Otherwise instr->sampler_index or instr->texture_index would be out + * of bounds, and they are used as an index to arrays of driver state. + */ + if (index_in_array < glsl_array_size(parent->type)) { + base_index += index_in_array * array_elements; + } else { + base_index = glsl_array_size(parent->type) - 1; + } } else { if (index == NULL) { /* We used to be direct but not anymore */ _______________________________________________ mesa-commit mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/mesa-commit
