brw: don't read past the end of old_src buffer in resize_sources()

In this case, num_sources is bigger than this->sources, so if we loop up to num_sources (instead of this->sources) we'll end up reading past the end of old_src[]. Only copy up to what we originally had. This was found by code inspection, I'm not aware of any applications failing due to the lack of this patch. Fixes: d9e737212d ("intel/brw: Add a src array for the common case in fs_inst") Reviewed-by: Ian Romanick <ian.d.romanick@intel.com> Reviewed-by: Caio Oliveira <caio.oliveira@intel.com> Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com> (cherry picked from commit d4a54d4f92) Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/32730>
2026-01-20 11:00:24 +01:00 · 2024-12-11 15:57:25 -08:00 · 2024-12-11 15:57:25 -08:00 · f5eb332773
commit f5eb332773
parent 6a946ade04
2 changed files with 2 additions and 2 deletions
--- a/.pick_status.json
+++ b/.pick_status.json
@ -714,7 +714,7 @@
        "description": "brw: don't read past the end of old_src buffer in resize_sources()",
        "nominated": true,
        "nomination_type": 2,
-        "resolution": 0,
+        "resolution": 1,
        "main_sha": null,
        "because_sha": "d9e737212d5e9a8d61a50592234aa35c2ab530d7",
        "notes": null
--- a/src/intel/compiler/brw_fs.cpp
+++ b/src/intel/compiler/brw_fs.cpp
@ -188,7 +188,7 @@ fs_inst::resize_sources(uint8_t num_sources)

      } else {
         new_src = new brw_reg[num_sources];
-         for (unsigned i = 0; i < num_sources; i++)
+         for (unsigned i = 0; i < this->sources; i++)
            new_src[i] = old_src[i];
      }