From 50cd0368711345fe0acf451362068a4d4bfefcac Mon Sep 17 00:00:00 2001
From: Sebastian Keller <skeller@gnome.org>
Date: Wed, 22 Jun 2022 02:42:15 +0200
Subject: [PATCH] egl/wayland: Don't try to access modifiers u_vector as
 dynarray

The modifiers are u_vectors, but the code was trying to access them
as dynarrays. This resulted in a wrong number of modifiers, which then
later on would also lead to invalid reads used as modifiers.

In the case of the iris driver, a wrongly read number of modifiers > 0
would also trigger an error message.

Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/6643
Fixes: b5848b2dac1 ("egl/wayland: use surface dma-buf feedback to allocate surface buffers")
Reviewed-by: Leandro Ribeiro <leandro.ribeiro@collabora.com>
Reviewed-by: Simon Ser <contact@emersion.fr>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/17180>
(cherry picked from commit f50fe9b0b6b108caa3334e4ddde1871b52ce9a31)
---
 .pick_status.json                       | 2 +-
 src/egl/drivers/dri2/platform_wayland.c | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index 9e19624237e..d0ccf43838e 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -391,7 +391,7 @@
         "description": "egl/wayland: Don't try to access modifiers u_vector as dynarray",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "b5848b2dac1464f5364dc2a76bd11cac0cb5769b"
     },
diff --git a/src/egl/drivers/dri2/platform_wayland.c b/src/egl/drivers/dri2/platform_wayland.c
index ff86484c5fc..5b886f8d62d 100644
--- a/src/egl/drivers/dri2/platform_wayland.c
+++ b/src/egl/drivers/dri2/platform_wayland.c
@@ -937,9 +937,8 @@ create_dri_image_from_dmabuf_feedback(struct dri2_egl_surface *dri2_surf,
       /* Ignore tranches that do not contain dri2_surf->format */
       if (!BITSET_TEST(tranche->formats.formats_bitmap, visual_idx))
          continue;
-      modifiers = util_dynarray_begin(&tranche->formats.modifiers[visual_idx]);
-      num_modifiers = util_dynarray_num_elements(&tranche->formats.modifiers[visual_idx],
-                                                 uint64_t);
+      modifiers = u_vector_tail(&tranche->formats.modifiers[visual_idx]);
+      num_modifiers = u_vector_length(&tranche->formats.modifiers[visual_idx]);
 
       /* For the purposes of this function, an INVALID modifier on
        * its own means the modifiers aren't supported. */