From 96f006539fdccaa79e6561e8175bf46ccbbdaca9 Mon Sep 17 00:00:00 2001
From: Boris Brezillon <boris.brezillon@collabora.com>
Date: Thu, 23 Sep 2021 16:10:51 +0200
Subject: [PATCH] panvk: Fix an overflow on cmdbuf->state.clear

We assume the cmdbuf->state.clear array will have one entry per
attachment, but clearValueCount might be smaller if some attachments
are not cleared.

Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/13077>
---
 src/panfrost/vulkan/panvk_cmd_buffer.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/panfrost/vulkan/panvk_cmd_buffer.c b/src/panfrost/vulkan/panvk_cmd_buffer.c
index 40a9ed0663a..ff257ff3b5c 100644
--- a/src/panfrost/vulkan/panvk_cmd_buffer.c
+++ b/src/panfrost/vulkan/panvk_cmd_buffer.c
@@ -434,10 +434,11 @@ panvk_CmdBeginRenderPass2(VkCommandBuffer commandBuffer,
                                    VK_SYSTEM_ALLOCATION_SCOPE_COMMAND);
    util_dynarray_init(&cmdbuf->state.batch->jobs, NULL);
    util_dynarray_init(&cmdbuf->state.batch->event_ops, NULL);
-   cmdbuf->state.clear = vk_zalloc(&cmdbuf->pool->alloc,
-                                   sizeof(*cmdbuf->state.clear) *
-                                   pRenderPassBegin->clearValueCount, 8,
-                                   VK_SYSTEM_ALLOCATION_SCOPE_COMMAND);
+   assert(pRenderPassBegin->clearValueCount <= pass->attachment_count);
+   cmdbuf->state.clear =
+      vk_zalloc(&cmdbuf->pool->alloc,
+                sizeof(*cmdbuf->state.clear) * pass->attachment_count,
+                8, VK_SYSTEM_ALLOCATION_SCOPE_COMMAND);
    panvk_cmd_prepare_clear_values(cmdbuf, pRenderPassBegin->pClearValues);
    panvk_cmd_fb_info_init(cmdbuf);
    panvk_cmd_fb_info_set_subpass(cmdbuf);