nir/unsigned_upper_bound: fix buffer overflow in search_phi_bcsel

It should only recurse if there's enough space to add the phi sources.

Signed-off-by: Rhys Perry <pendingchaos02@gmail.com>
Reviewed-by: Daniel Schürmann <daniel@schuermann.dev>
Fixes: 72ac3f6026 ("nir: add nir_unsigned_upper_bound and nir_addition_might_overflow")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/7748>

src/compiler/nir/nir_range_analysis.c

@@ -1102,6 +1102,7 @@ static uint64_t mul_clamp(uint32_t a, uint32_t b)
       return a * b;
 }
 
+/* recursively gather at most "buf_size" phi/bcsel sources */
 static unsigned
 search_phi_bcsel(nir_ssa_scalar scalar, nir_ssa_scalar *buf, unsigned buf_size, struct set *visited)
 {
@@ -1112,15 +1113,17 @@ search_phi_bcsel(nir_ssa_scalar scalar, nir_ssa_scalar *buf, unsigned buf_size,
    if (scalar.def->parent_instr->type == nir_instr_type_phi) {
       nir_phi_instr *phi = nir_instr_as_phi(scalar.def->parent_instr);
       unsigned num_sources_left = exec_list_length(&phi->srcs);
-      unsigned total_added = 0;
-      nir_foreach_phi_src(src, phi) {
-         unsigned added = search_phi_bcsel(
-            (nir_ssa_scalar){src->src.ssa, 0}, buf + total_added, buf_size - num_sources_left, visited);
-         buf_size -= added;
-         total_added += added;
-         num_sources_left--;
+      if (buf_size >= num_sources_left) {
+         unsigned total_added = 0;
+         nir_foreach_phi_src(src, phi) {
+            unsigned added = search_phi_bcsel(
+               (nir_ssa_scalar){src->src.ssa, 0}, buf + total_added, buf_size - num_sources_left, visited);
+            buf_size -= added;
+            total_added += added;
+            num_sources_left--;
+         }
+         return total_added;
       }
-      return total_added;
    }
 
    if (nir_ssa_scalar_is_alu(scalar)) {