From 99aec40f089fcdcc2cc2ebe70902004f2d92cee8 Mon Sep 17 00:00:00 2001 From: Rhys Perry Date: Tue, 24 Nov 2020 10:52:56 +0000 Subject: [PATCH] nir/unsigned_upper_bound: fix buffer overflow in search_phi_bcsel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It should only recurse if there's enough space to add the phi sources. Signed-off-by: Rhys Perry Reviewed-by: Daniel Schürmann Fixes: 72ac3f60261 ("nir: add nir_unsigned_upper_bound and nir_addition_might_overflow") Part-of: (cherry picked from commit 65fbae16e37b5f349a0d0feb8d54ba132a1f02f4) --- .pick_status.json | 2 +- src/compiler/nir/nir_range_analysis.c | 19 +++++++++++-------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index edde9d6b073..0072732fcd7 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -2416,7 +2416,7 @@ "description": "nir/unsigned_upper_bound: fix buffer overflow in search_phi_bcsel", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "master_sha": null, "because_sha": "72ac3f60261a8510512861b93e843e695331e2ab" }, diff --git a/src/compiler/nir/nir_range_analysis.c b/src/compiler/nir/nir_range_analysis.c index 14f93061040..58582c55261 100644 --- a/src/compiler/nir/nir_range_analysis.c +++ b/src/compiler/nir/nir_range_analysis.c @@ -1099,6 +1099,7 @@ static uint64_t mul_clamp(uint32_t a, uint32_t b) return a * b; } +/* recursively gather at most "buf_size" phi/bcsel sources */ static unsigned search_phi_bcsel(nir_ssa_scalar scalar, nir_ssa_scalar *buf, unsigned buf_size, struct set *visited) { @@ -1109,15 +1110,17 @@ search_phi_bcsel(nir_ssa_scalar scalar, nir_ssa_scalar *buf, unsigned buf_size, if (scalar.def->parent_instr->type == nir_instr_type_phi) { nir_phi_instr *phi = nir_instr_as_phi(scalar.def->parent_instr); unsigned num_sources_left = exec_list_length(&phi->srcs); - unsigned total_added = 0; - nir_foreach_phi_src(src, phi) { - unsigned added = search_phi_bcsel( - (nir_ssa_scalar){src->src.ssa, 0}, buf + total_added, buf_size - num_sources_left, visited); - buf_size -= added; - total_added += added; - num_sources_left--; + if (buf_size >= num_sources_left) { + unsigned total_added = 0; + nir_foreach_phi_src(src, phi) { + unsigned added = search_phi_bcsel( + (nir_ssa_scalar){src->src.ssa, 0}, buf + total_added, buf_size - num_sources_left, visited); + buf_size -= added; + total_added += added; + num_sources_left--; + } + return total_added; } - return total_added; } if (nir_ssa_scalar_is_alu(scalar)) {