From a4350c69b4d299d99f33db373595eed7a1edc9b4 Mon Sep 17 00:00:00 2001
From: Rob Clark <rob.clark@oss.qualcomm.com>
Date: Sat, 22 Nov 2025 09:02:23 -0800
Subject: [PATCH] freedreno/a6xx: Fix UB in convert_color()

Swizzle can include PIPE_SWIZZLE_0/_1 (4 and 5) which result in indexing
beyond the channel array.

Reported-by: Danylo Piliaiev <dpiliaiev@igalia.com>
Fixes: 76e350671f3b ("freedreno/a6xx: Sysmem clear fixes")
Signed-off-by: Rob Clark <rob.clark@oss.qualcomm.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/38593>
(cherry picked from commit f0465ced7f9924d0be8e219ed0afe907994bd516)
---
 .pick_status.json                                 | 2 +-
 src/gallium/drivers/freedreno/a6xx/fd6_blitter.cc | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.pick_status.json b/.pick_status.json
index 5f7b1b413f9..27e2b54ace5 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -4034,7 +4034,7 @@
         "description": "freedreno/a6xx: Fix UB in convert_color()",
         "nominated": true,
         "nomination_type": 2,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "76e350671f3ba2d8ccbe6851de868d8897a8bb98",
         "notes": null
diff --git a/src/gallium/drivers/freedreno/a6xx/fd6_blitter.cc b/src/gallium/drivers/freedreno/a6xx/fd6_blitter.cc
index b8adfdacd1c..574e9cc83a4 100644
--- a/src/gallium/drivers/freedreno/a6xx/fd6_blitter.cc
+++ b/src/gallium/drivers/freedreno/a6xx/fd6_blitter.cc
@@ -862,6 +862,9 @@ convert_color(enum pipe_format format, union pipe_color_union *pcolor)
    for (unsigned i = 0; i < 4; i++) {
       unsigned channel = desc->swizzle[i];
 
+      if (channel >= 4) /* PIPE_SWIZZLE_0/_1 */
+         continue;
+
       if (desc->channel[channel].normalized)
          continue;