diff options
author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2016-02-17 22:59:57 +0100 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2016-02-18 09:59:17 +1000 |
commit | 9a2464c02746170f836350a9bcdf7b6a764507a7 (patch) | |
tree | 43d72a781a81e57231a9d28e734786295ca2f023 | |
parent | c01d5be76a6a6b0bdc8a7f9f01caf5c6aaf8ca5b (diff) |
vrend: fix VREND_MAX_CTX checks
Context array is declared as dec_ctx[VREND_MAX_CTX], virgl shouldn't accept id
== VREND_MAX_CTX.
Found thanks to AddressSanitizer.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-rw-r--r-- | src/vrend_decode.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/vrend_decode.c b/src/vrend_decode.c index c77b3c5..96b60f4 100644 --- a/src/vrend_decode.c +++ b/src/vrend_decode.c @@ -1040,7 +1040,7 @@ void vrend_renderer_context_create_internal(uint32_t handle, uint32_t nlen, { struct vrend_decode_ctx *dctx; - if (handle > VREND_MAX_CTX) + if (handle >= VREND_MAX_CTX) return; dctx = malloc(sizeof(struct vrend_decode_ctx)); @@ -1060,8 +1060,9 @@ void vrend_renderer_context_create_internal(uint32_t handle, uint32_t nlen, int vrend_renderer_context_create(uint32_t handle, uint32_t nlen, const char *debug_name) { - if (handle > VREND_MAX_CTX) + if (handle >= VREND_MAX_CTX) return EINVAL; + /* context 0 is always available with no guarantees */ if (handle == 0) return EINVAL; @@ -1075,7 +1076,7 @@ void vrend_renderer_context_destroy(uint32_t handle) struct vrend_decode_ctx *ctx; bool ret; - if (handle > VREND_MAX_CTX) + if (handle >= VREND_MAX_CTX) return; ctx = dec_ctx[handle]; @@ -1091,7 +1092,7 @@ void vrend_renderer_context_destroy(uint32_t handle) struct vrend_context *vrend_lookup_renderer_ctx(uint32_t ctx_id) { - if (ctx_id > VREND_MAX_CTX) + if (ctx_id >= VREND_MAX_CTX) return NULL; if (dec_ctx[ctx_id] == NULL) @@ -1105,7 +1106,7 @@ int vrend_decode_block(uint32_t ctx_id, uint32_t *block, int ndw) struct vrend_decode_ctx *gdctx; bool bret; int ret; - if (ctx_id > VREND_MAX_CTX) + if (ctx_id >= VREND_MAX_CTX) return EINVAL; if (dec_ctx[ctx_id] == NULL) |