util: Fix `BITSET_EXTRACT` out-of-bounds read

In some situations the implementation of `BITSET_EXTRACT` would read beyond the size of the bitset due to an unconditional + 1 in the address calculation. Reviewed-by: Georg Lehmann <dadschoorse@gmail.com> Reviewed-by: Konstantin Seurer <konstantin.seurer@gmail.com> Fixes: 0cc9443e9b5 ("util: Add BITSET_EXTRACT") Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34605>
author: Josh Simmons <josh@nega.tv> 2025-04-18 11:31:34 +0200
committer: Joshua Simmons <josh@nega.tv> 2025-08-23 19:46:05 +0200
commit: 922c3c53ceb77c0c51a6ed2937860dc812059c01 (patch)
tree: c2ab5a5abb1d12ea1b37ce1e6ad8ddbc815a978b /src
parent: 0088fbc3a9fc80d6efb62e6515ab40a1ff45c58f (diff)
1 files changed, 4 insertions, 5 deletions
diff --git a/src/util/bitset.h b/src/util/bitset.h
index 594f8cc56db..03e006c43f1 100644
--- a/src/util/bitset.h
+++ b/src/util/bitset.h
@@ -276,11 +276,10 @@ static inline unsigned
 __bitset_extract(const BITSET_WORD *r, unsigned start, unsigned count)
 {
    unsigned shift = start % BITSET_WORDBITS;
-   unsigned lower = r[BITSET_BITWORD(start)] >> shift;
-   unsigned upper = shift ? r[BITSET_BITWORD(start) + 1] << (32 - shift) : 0;
-   unsigned total = lower | upper;
-
-   return count != 32 ? total & ((1u << count) - 1u) : total;
+   BITSET_WORD lower = r[BITSET_BITWORD(start)] >> shift;
+   BITSET_WORD upper = shift ? r[BITSET_BITWORD(start + count - 1)] << (BITSET_WORDBITS - shift) : 0;
+   BITSET_WORD total = lower | upper;
+   return count != BITSET_WORDBITS ? total & ((1u << count) - 1u) : total;
 }
 
 #define BITSET_EXTRACT(x, s, c) \
author	Josh Simmons <josh@nega.tv>	2025-04-18 11:31:34 +0200
committer	Joshua Simmons <josh@nega.tv>	2025-08-23 19:46:05 +0200
commit	922c3c53ceb77c0c51a6ed2937860dc812059c01 (patch)
tree	c2ab5a5abb1d12ea1b37ce1e6ad8ddbc815a978b /src
parent	0088fbc3a9fc80d6efb62e6515ab40a1ff45c58f (diff)