decode: check we don't reach MAX_VIEWPORTS

Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2016-01-19 01:14:13 +0100
committer: Dave Airlie <airlied@redhat.com> 2016-02-10 12:01:11 +1000
commit: 2aa6c5bca976a68391ed806dbfa5f9236f07d4f5 (patch)
tree: 748a647bd93da1057ce4fb9f0db3d8323fbb219d
parent: e0e423aacd8dc01eaa043a1c1aebd23e048288c9 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index d946734..be5777e 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -180,10 +180,12 @@ static int vrend_decode_set_viewport_state(struct vrend_decode_ctx *ctx, int len
       return EINVAL;
 
    num_viewports = (length - 1) / 6;
-   if (num_viewports > PIPE_MAX_VIEWPORTS)
+   start_slot = get_buf_entry(ctx, VIRGL_SET_VIEWPORT_START_SLOT);
+
+   if (num_viewports > PIPE_MAX_VIEWPORTS ||
+       start_slot > (PIPE_MAX_VIEWPORTS - num_viewports))
       return EINVAL;
 
-   start_slot = get_buf_entry(ctx, VIRGL_SET_VIEWPORT_START_SLOT);
    for (v = 0; v < num_viewports; v++) {
       for (i = 0; i < 3; i++)
          vps[v].scale[i] = uif(get_buf_entry(ctx, VIRGL_SET_VIEWPORT_STATE_SCALE_0(v) + i));
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2016-01-19 01:14:13 +0100
committer	Dave Airlie <airlied@redhat.com>	2016-02-10 12:01:11 +1000
commit	2aa6c5bca976a68391ed806dbfa5f9236f07d4f5 (patch)
tree	748a647bd93da1057ce4fb9f0db3d8323fbb219d
parent	e0e423aacd8dc01eaa043a1c1aebd23e048288c9 (diff)