renderer: avoid out of bound sampler array access

Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2016-01-19 17:45:46 +0100
committer: Dave Airlie <airlied@redhat.com> 2016-02-10 12:32:58 +1000
commit: 18e4808c1d4de0709c6643486a83935703e3fac0 (patch)
tree: 7fb6157cbf457d8e4600fe0b4f0e42a57b95abe2
parent: 775f5ed62a4eb3ceb4960a0cd4292a14883f86d4 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index fcd79c5..c8e5b60 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -3412,6 +3412,12 @@ void vrend_bind_sampler_states(struct vrend_context *ctx,
       return;
    }
 
+   if (num_states > PIPE_MAX_SAMPLERS ||
+       start_slot > (PIPE_MAX_SAMPLERS - num_states)) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, num_states);
+      return;
+   }
+
    ctx->sub->num_sampler_states[shader_type] = num_states;
 
    for (i = 0; i < num_states; i++) {
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2016-01-19 17:45:46 +0100
committer	Dave Airlie <airlied@redhat.com>	2016-02-10 12:32:58 +1000
commit	18e4808c1d4de0709c6643486a83935703e3fac0 (patch)
tree	7fb6157cbf457d8e4600fe0b4f0e42a57b95abe2
parent	775f5ed62a4eb3ceb4960a0cd4292a14883f86d4 (diff)