From 46aea87a79ae1e984bb54b0f703e623e857cc6c3 Mon Sep 17 00:00:00 2001 From: Samuel Pitoiset Date: Tue, 31 Mar 2026 17:55:53 +0200 Subject: [PATCH] spirv: fix OpUntypedVariableKHR with optional data type parameter This would read OOB and crash because data type is optional per the SPIRV spec. Original patch by Faith Ekstrand . Cc: mesa-stable Signed-off-by: Samuel Pitoiset (cherry picked from commit 1f8be7bfad64e4b8d4e3cf14723b5ff229a36c01) Part-of: --- .pick_status.json | 2 +- src/compiler/spirv/vtn_variables.c | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index 7690ceebbc5..51e9bdf4f15 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -5254,7 +5254,7 @@ "description": "spirv: fix OpUntypedVariableKHR with optional data type parameter", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": null, "notes": null diff --git a/src/compiler/spirv/vtn_variables.c b/src/compiler/spirv/vtn_variables.c index 53856a1595c..fd597a3d6e7 100644 --- a/src/compiler/spirv/vtn_variables.c +++ b/src/compiler/spirv/vtn_variables.c @@ -2706,7 +2706,13 @@ vtn_handle_variables(struct vtn_builder *b, SpvOp opcode, const bool untyped = opcode == SpvOpUntypedVariableKHR; struct vtn_type *ptr_type = vtn_get_type(b, w[1]); - struct vtn_type *data_type = untyped ? vtn_get_type(b, w[4]) : ptr_type->pointed; + struct vtn_type *data_type = + untyped && count > 4 ? vtn_get_type(b, w[4]) : ptr_type->pointed; + if (data_type == NULL) { + data_type = vtn_zalloc(b, struct vtn_type); + data_type->base_type = vtn_base_type_void; + data_type->type = glsl_void_type(); + } SpvStorageClass storage_class = w[3];