From: Kenneth Graunke Date: Sun, 14 Feb 2016 00:58:35 +0000 (-0800) Subject: glsl: Fix overflow of ImageAccess[] array. X-Git-Tag: android-x86-6.0-r1~3767 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=565aa69970ccb0e92c9d5773c43d9b49e7bdb8e4;p=android-x86%2Fexternal-mesa.git glsl: Fix overflow of ImageAccess[] array. The ImageAccess array is statically sized to MAX_IMAGE_UNIFORMS: GLenum ImageAccess[MAX_IMAGE_UNIFORMS]; There was no bounds checking ensuring we don't overflow. Passing in a shader with too many uniforms would cause writes to extend into other fields, such as sh->NumImages. Later linker checks already handle reporting an error when there are too many images, so just avoid corrupting structures here. This rearranges the logic a bit to look more like the sampler case. Signed-off-by: Kenneth Graunke Reviewed-by: Ilia Mirkin Reviewed-by: Timothy Arceri Reviewed-by: Jordan Justen Tested-by: Jordan Justen --- diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp index 7072c16cb28..d18a2f2a1bc 100644 --- a/src/compiler/glsl/link_uniforms.cpp +++ b/src/compiler/glsl/link_uniforms.cpp @@ -649,15 +649,15 @@ private: current_var->data.image_write_only ? GL_WRITE_ONLY : GL_READ_WRITE); - for (unsigned j = 0; j < MAX2(1, uniform->array_elements); ++j) - prog->_LinkedShaders[shader_type]-> - ImageAccess[this->next_image + j] = access; + const unsigned first = this->next_image; /* Increment the image index by 1 for non-arrays and by the * number of array elements for arrays. */ this->next_image += MAX2(1, uniform->array_elements); + for (unsigned i = first; i < MIN2(next_image, MAX_IMAGE_UNIFORMS); i++) + prog->_LinkedShaders[shader_type]->ImageAccess[i] = access; } }