panvk: Fix an overflow on cmdbuf->state.clear

We assume the cmdbuf->state.clear array will have one entry per attachment, but clearValueCount might be smaller if some attachments are not cleared. Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Reviewed-by: Tomeu Vizoso <tomeu.vizoso@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/13077>
2021-09-23 16:10:51 +02:00 · 2021-09-23 16:10:51 +02:00 · 96f006539f
parent d43912b188
commit 96f006539f
1 changed files with 5 additions and 4 deletions
--- a/src/panfrost/vulkan/panvk_cmd_buffer.c
+++ b/src/panfrost/vulkan/panvk_cmd_buffer.c
@ -434,10 +434,11 @@ panvk_CmdBeginRenderPass2(VkCommandBuffer commandBuffer,
                                   VK_SYSTEM_ALLOCATION_SCOPE_COMMAND);
   util_dynarray_init(&cmdbuf->state.batch->jobs, NULL);
   util_dynarray_init(&cmdbuf->state.batch->event_ops, NULL);
-   cmdbuf->state.clear = vk_zalloc(&cmdbuf->pool->alloc,
-                                   sizeof(*cmdbuf->state.clear) *
-                                   pRenderPassBegin->clearValueCount, 8,
-                                   VK_SYSTEM_ALLOCATION_SCOPE_COMMAND);
+   assert(pRenderPassBegin->clearValueCount <= pass->attachment_count);
+   cmdbuf->state.clear =
+      vk_zalloc(&cmdbuf->pool->alloc,
+                sizeof(*cmdbuf->state.clear) * pass->attachment_count,
+                8, VK_SYSTEM_ALLOCATION_SCOPE_COMMAND);
   panvk_cmd_prepare_clear_values(cmdbuf, pRenderPassBegin->pClearValues);
   panvk_cmd_fb_info_init(cmdbuf);
   panvk_cmd_fb_info_set_subpass(cmdbuf);