From 922c3c53ceb77c0c51a6ed2937860dc812059c01 Mon Sep 17 00:00:00 2001
From: Josh Simmons <josh@nega.tv>
Date: Fri, 18 Apr 2025 11:31:34 +0200
Subject: util: Fix `BITSET_EXTRACT` out-of-bounds read

In some situations the implementation of `BITSET_EXTRACT` would read
beyond the size of the bitset due to an unconditional + 1 in the address
calculation.

Reviewed-by: Georg Lehmann <dadschoorse@gmail.com>
Reviewed-by: Konstantin Seurer <konstantin.seurer@gmail.com>
Fixes: 0cc9443e9b5 ("util: Add BITSET_EXTRACT")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34605>
---
 src/util/bitset.h | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'src/util/bitset.h')

diff --git a/src/util/bitset.h b/src/util/bitset.h
index 594f8cc56db..03e006c43f1 100644
--- a/src/util/bitset.h
+++ b/src/util/bitset.h
@@ -276,11 +276,10 @@ static inline unsigned
 __bitset_extract(const BITSET_WORD *r, unsigned start, unsigned count)
 {
    unsigned shift = start % BITSET_WORDBITS;
-   unsigned lower = r[BITSET_BITWORD(start)] >> shift;
-   unsigned upper = shift ? r[BITSET_BITWORD(start) + 1] << (32 - shift) : 0;
-   unsigned total = lower | upper;
-
-   return count != 32 ? total & ((1u << count) - 1u) : total;
+   BITSET_WORD lower = r[BITSET_BITWORD(start)] >> shift;
+   BITSET_WORD upper = shift ? r[BITSET_BITWORD(start + count - 1)] << (BITSET_WORDBITS - shift) : 0;
+   BITSET_WORD total = lower | upper;
+   return count != BITSET_WORDBITS ? total & ((1u << count) - 1u) : total;
 }
 
 #define BITSET_EXTRACT(x, s, c) \
-- 
cgit v1.2.3