From fb8d69893c65043b608acf130d23d167ed807bc8 Mon Sep 17 00:00:00 2001
From: Job Noorman <jnoorman@igalia.com>
Date: Mon, 28 Jul 2025 09:02:17 +0200
Subject: [PATCH] ir3/legalize: add asserts to prevent OOB array access

When invalid registers are passed to `get_ready_slot`, it may cause an
OOB array access. Instead of running into UB when this happens, catch it
early by asserting.

Signed-off-by: Job Noorman <jnoorman@igalia.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/36365>
---
 src/freedreno/ir3/ir3_legalize.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/freedreno/ir3/ir3_legalize.c b/src/freedreno/ir3/ir3_legalize.c
index 21a2896197a..f9b2215d8e8 100644
--- a/src/freedreno/ir3/ir3_legalize.c
+++ b/src/freedreno/ir3/ir3_legalize.c
@@ -464,13 +464,18 @@ get_ready_slot(struct ir3_legalize_state *state,
       consumer_alu ? &state->alu_nop : &state->non_alu_nop;
    assert(!(reg->flags & IR3_REG_SHARED));
    if (reg->flags & IR3_REG_HALF) {
-      if (matching_size)
+      if (matching_size) {
+         assert(num < ARRAY_SIZE(nop->half_ready));
          return &nop->half_ready[num];
-      else
+      } else {
+         assert(num / 2 < ARRAY_SIZE(nop->full_ready));
          return &nop->full_ready[num / 2];
+      }
    } else {
-      if (matching_size)
+      if (matching_size) {
+         assert(num < ARRAY_SIZE(nop->full_ready));
          return &nop->full_ready[num];
+      }
       /* If "num" is large enough, then it can't alias a half-reg because only
        * the first half of the full reg speace aliases half regs. Return NULL in
        * this case.