From f5eb332773cf602a5fe32e21cb4b6097d40afa01 Mon Sep 17 00:00:00 2001
From: Paulo Zanoni <paulo.r.zanoni@intel.com>
Date: Wed, 11 Dec 2024 15:57:25 -0800
Subject: [PATCH] brw: don't read past the end of old_src buffer in
 resize_sources()

In this case, num_sources is bigger than this->sources, so if we loop
up to num_sources (instead of this->sources) we'll end up reading past
the end of old_src[]. Only copy up to what we originally had.

This was found by code inspection, I'm not aware of any applications
failing due to the lack of this patch.

Fixes: d9e737212d5e ("intel/brw: Add a src array for the common case in fs_inst")
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
Reviewed-by: Caio Oliveira <caio.oliveira@intel.com>
Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
(cherry picked from commit d4a54d4f9250f1a925340bec63c906751f8d0895)

Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/32730>
---
 .pick_status.json             | 2 +-
 src/intel/compiler/brw_fs.cpp | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index 979664d6ceb..dda2a774674 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -714,7 +714,7 @@
         "description": "brw: don't read past the end of old_src buffer in resize_sources()",
         "nominated": true,
         "nomination_type": 2,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "d9e737212d5e9a8d61a50592234aa35c2ab530d7",
         "notes": null
diff --git a/src/intel/compiler/brw_fs.cpp b/src/intel/compiler/brw_fs.cpp
index 6d6daade4d2..e1f56a988cb 100644
--- a/src/intel/compiler/brw_fs.cpp
+++ b/src/intel/compiler/brw_fs.cpp
@@ -188,7 +188,7 @@ fs_inst::resize_sources(uint8_t num_sources)
 
       } else {
          new_src = new brw_reg[num_sources];
-         for (unsigned i = 0; i < num_sources; i++)
+         for (unsigned i = 0; i < this->sources; i++)
             new_src[i] = old_src[i];
       }