Merge pull request #7731 from v1993/xfb-varying-check-fix

shader_recompiler: fix potential OOB access
author: bunnei <bunneidev@gmail.com> 2022-01-21 10:45:56 -0800
committer: GitHub <noreply@github.com> 2022-01-21 10:45:56 -0800
commit: 03cf308c16f016c49964b343602c3fbd22415fcc (patch)
tree: e606805c438e9854d0c22be1e265963b4a3f543b
parent: ef7c50b276611daf21b66cbd9e82e01e8663024f (diff)
parent: a943600019969ce0382821e7ee19ef4b990564cb (diff)
2 files changed, 8 insertions, 6 deletions
diff --git a/src/shader_recompiler/backend/glsl/glsl_emit_context.cpp b/src/shader_recompiler/backend/glsl/glsl_emit_context.cpp
index bb7f1a0fd..e816a93ec 100644
--- a/src/shader_recompiler/backend/glsl/glsl_emit_context.cpp
+++ b/src/shader_recompiler/backend/glsl/glsl_emit_context.cpp
@@ -458,9 +458,10 @@ void EmitContext::DefineGenericOutput(size_t index, u32 invocations) {
         std::string definition{fmt::format("layout(location={}", index)};
         const u32 remainder{4 - element};
         const TransformFeedbackVarying* xfb_varying{};
-        if (!runtime_info.xfb_varyings.empty()) {
-            xfb_varying = &runtime_info.xfb_varyings[base_index + element];
-            xfb_varying = xfb_varying && xfb_varying->components > 0 ? xfb_varying : nullptr;
+        const size_t xfb_varying_index{base_index + element};
+        if (xfb_varying_index < runtime_info.xfb_varyings.size()) {
+            xfb_varying = &runtime_info.xfb_varyings[xfb_varying_index];
+            xfb_varying = xfb_varying->components > 0 ? xfb_varying : nullptr;
         }
         const u32 num_components{xfb_varying ? xfb_varying->components : remainder};
         if (element > 0) {
diff --git a/src/shader_recompiler/backend/spirv/spirv_emit_context.cpp b/src/shader_recompiler/backend/spirv/spirv_emit_context.cpp
index d3ba66569..cd90c084a 100644
--- a/src/shader_recompiler/backend/spirv/spirv_emit_context.cpp
+++ b/src/shader_recompiler/backend/spirv/spirv_emit_context.cpp
@@ -164,9 +164,10 @@ void DefineGenericOutput(EmitContext& ctx, size_t index, std::optional<u32> invo
     while (element < 4) {
         const u32 remainder{4 - element};
         const TransformFeedbackVarying* xfb_varying{};
-        if (!ctx.runtime_info.xfb_varyings.empty()) {
-            xfb_varying = &ctx.runtime_info.xfb_varyings[base_attr_index + element];
-            xfb_varying = xfb_varying && xfb_varying->components > 0 ? xfb_varying : nullptr;
+        const size_t xfb_varying_index{base_attr_index + element};
+        if (xfb_varying_index < ctx.runtime_info.xfb_varyings.size()) {
+            xfb_varying = &ctx.runtime_info.xfb_varyings[xfb_varying_index];
+            xfb_varying = xfb_varying->components > 0 ? xfb_varying : nullptr;
         }
         const u32 num_components{xfb_varying ? xfb_varying->components : remainder};
author	bunnei <bunneidev@gmail.com>	2022-01-21 10:45:56 -0800
committer	GitHub <noreply@github.com>	2022-01-21 10:45:56 -0800
commit	03cf308c16f016c49964b343602c3fbd22415fcc (patch)
tree	e606805c438e9854d0c22be1e265963b4a3f543b
parent	ef7c50b276611daf21b66cbd9e82e01e8663024f (diff)
parent	a943600019969ce0382821e7ee19ef4b990564cb (diff)