glsl: fix glsl_struct_field size calculations for shader cache

nhaehnle · nhaehnle · commit 4da6cf6c98ae · 2017-08-25T09:05:28.000+02:00
Found by address sanitizer: ==22621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000cbd8 at pc 0x7f561610a4ff bp 0x7ffca85f9d50 sp 0x7ffca85f94f8 READ of size 344 at 0x61400000cbd8 thread T0 #0 0x7f561610a4fe (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5f4fe) #1 0x7f560bb305a5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53 #2 0x7f560bb305a5 in blob_write_bytes ../../../mesa-src/src/compiler/glsl/blob.c:136 #3 0x7f560be7d7ff in encode_type_to_blob ../../../mesa-src/src/compiler/glsl/shader_cache.cpp:153 #4 0x7f560be81222 in write_program_resource_data ../../../mesa-src/src/compiler/glsl/shader_cache.cpp:950 #5 0x7f560be81222 in write_program_resource_list ../../../mesa-src/src/compiler/glsl/shader_cache.cpp:1118 #6 0x7f560be81222 in shader_cache_write_program_metadata(gl_context*, gl_shader_program*) ../../../mesa-src/src/compiler/glsl/shader_cache.cpp:1407 #7 0x7f560b825fdb in link_program ../../../mesa-src/src/mesa/main/shaderapi.c:1163 Fixes: 073a84f ("glsl: stop adding pointers from glsl_struct_field to the cache") Reviewed-by: Timothy Arceri <tarceri@itsqueeze.com>
diff --git a/src/compiler/glsl/shader_cache.cpp b/src/compiler/glsl/shader_cache.cpp
@@ -76,10 +76,9 @@ compile_shaders(struct gl_context *ctx, struct gl_shader_program *prog) {
 
 static void
 get_struct_type_field_and_pointer_sizes(size_t *s_field_size,
-                                        size_t *s_field_ptrs,
-                                        unsigned num_fields)
+                                        size_t *s_field_ptrs)
 {
-   *s_field_size = sizeof(glsl_struct_field) * num_fields;
+   *s_field_size = sizeof(glsl_struct_field);
    *s_field_ptrs =
      sizeof(((glsl_struct_field *)0)->type) +
      sizeof(((glsl_struct_field *)0)->name);
@@ -140,8 +139,7 @@ encode_type_to_blob(struct blob *blob, const glsl_type *type)
       blob_write_uint32(blob, type->length);
 
       size_t s_field_size, s_field_ptrs;
-      get_struct_type_field_and_pointer_sizes(&s_field_size, &s_field_ptrs,
-                                              type->length);
+      get_struct_type_field_and_pointer_sizes(&s_field_size, &s_field_ptrs);
 
       for (unsigned i = 0; i < type->length; i++) {
          encode_type_to_blob(blob, type->fields.structure[i].type);
@@ -213,8 +211,7 @@ decode_type_from_blob(struct blob_reader *blob)
       unsigned num_fields = blob_read_uint32(blob);
 
       size_t s_field_size, s_field_ptrs;
-      get_struct_type_field_and_pointer_sizes(&s_field_size, &s_field_ptrs,
-                                              num_fields);
+      get_struct_type_field_and_pointer_sizes(&s_field_size, &s_field_ptrs);
 
       glsl_struct_field *fields =
          (glsl_struct_field *) malloc(s_field_size * num_fields);
