Fix Vulkan PBR pipeline stack smash (fragment spec map entries)

cursoragent · timfox · cursoragent · commit c9780aef76b3 · 2026-04-27T06:17:18.000Z
ADD_FRAG_SPEC appended 41 VkSpecializationMapEntry values but spec_entries
was only 38 slots with USE_VK_PBR, corrupting the stack canary and aborting
after VarInfo during vk_create_pipelines. Enlarge to 48 with headroom and
add a fatal overflow guard.

Co-authored-by: Tim Fox &lt;timfox@outlook.com&gt;
diff --git a/docs/TODO_TRIAGE.md b/docs/TODO_TRIAGE.md
@@ -68,6 +68,7 @@ TODOs/FIXMEs in `src/external/` are from third-party code (duktape, zstd, cjson,
 
 | Date | Scope | Notes |
 |------|--------|------|
+| 2026-04-27 | Vulkan / PBR | `vk_create_pipeline.c`: PBR `ADD_FRAG_SPEC` wrote 41 map entries into `spec_entries[38]` (stack smash / SIGABRT after `VarInfo`); enlarged buffer + overflow guard. |
 | 2026-04-27 | Vulkan / IQM | `tr_model_iqm.c`: avoid `-Wcast-qual` on `backEnd.currentEntity` (uintptr_t bridge). Vegetation wind: `vk_vegetation_wind.c` header + triage row clarify dispatch-after-draw vs binding `vegwind_vertex_buffer` (still TODO). |
 | 2026-04-11 | Network / downloads | `cl_curl.c`: `dl->Name` from `Content-Disposition` uses **`Q_strncpyz`** (Phase 2 P0 item remains fixed). |
 | 2026-04-11 | Botlib / preprocessor | **`src/botlib/l_precomp.c`** already bounded; duplicate **`src/platform/botlib/l_precomp.c`** and **`src/platform/win32/botlib/l_precomp.c`** aligned: `sprintf` → **`Com_sprintf(..., MAX_TOKEN, ...)`** (5 sites each). |
diff --git a/src/renderers/vulkan/vk_create_pipeline.c b/src/renderers/vulkan/vk_create_pipeline.c
@@ -66,9 +66,10 @@ VkPipeline vk_create_pipeline( const Vk_Pipeline_Def *def, renderPass_t renderPa
     struct Vk_Pipeline_FragSpecData frag_spec_data;
 
 #ifdef USE_VK_PBR
-    VkSpecializationMapEntry spec_entries[38];
+	/* ADD_FRAG_SPEC: 11 base + 30 PBR (constant_id 11..40) + lightmap_scale/srgb = 41 entries; was 38 (stack smash / SIGABRT). */
+	VkSpecializationMapEntry spec_entries[48];
 #else
-    VkSpecializationMapEntry spec_entries[12];
+	VkSpecializationMapEntry spec_entries[12];
 #endif
 	
 	VkSpecializationInfo frag_spec_info;
@@ -817,6 +818,11 @@ VkPipeline vk_create_pipeline( const Vk_Pipeline_Def *def, renderPass_t renderPa
 
 	frag_spec_data.lightmap_srgb_decode = ( r_lightmap_srgb_decode && r_lightmap_srgb_decode->integer && r_hdr && r_hdr->integer > 0 ) ? 1 : 0;
 
+	if ( spec_entry_count > (int)( sizeof( spec_entries ) / sizeof( spec_entries[0] ) ) ) {
+		ri.Error( ERR_FATAL, "vk_create_pipeline: fragment specialization map overflow (%d > %u)",
+			spec_entry_count, (unsigned int)( sizeof( spec_entries ) / sizeof( spec_entries[0] ) ) );
+	}
+
 	frag_spec_info.mapEntryCount = spec_entry_count;
 	frag_spec_info.pMapEntries = spec_entries;
 	frag_spec_info.dataSize = sizeof( frag_spec_data );
