util/bitset: Avoid out-of-bounds reads

I missed a corner case here: when the next range ends right at the end
of the bitset, we need to return immediately to avoid trying to search
after the bitset. And when finding the next end, we similarly need to
bail if the range is size 1 at the very end of the range. In practice
this probably would'nt have been noticed, because it would break out of
the loop anyway, but I happened to be running something using this under
Valgrind and it complained.

Reviewed-by: Eric Anholt <eric@anholt.net>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/10076>

1 files changed, 8 insertions, 0 deletions

diff --git a/src/util/bitset.h b/src/util/bitset.h
index 8225070f703..29de65e839c 100644
--- a/src/util/bitset.h
+++ b/src/util/bitset.h
@@ -165,6 +165,10 @@ __bitset_next_range(unsigned *start, unsigned *end, const BITSET_WORD *set,
     * 0-bit after the range.
     */
    unsigned word = BITSET_BITWORD(*end);
+   if (word >= BITSET_WORDS(size)) {
+      *start = *end = size;
+      return;
+   }
    BITSET_WORD tmp = set[word] & ~(BITSET_BIT(*end) - 1);
    while (!tmp) {
       word++;
@@ -182,6 +186,10 @@ __bitset_next_range(unsigned *start, unsigned *end, const BITSET_WORD *set,
     * 0-bit.
     */
    word = BITSET_BITWORD(*start + 1);
+   if (word >= BITSET_WORDS(size)) {
+      *end = size;
+      return;
+   }
    tmp = set[word] | (BITSET_BIT(*start + 1) - 1);
    while (~tmp == 0) {
       word++;