decode: check set_sampler_views args

Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2016-01-20 14:02:58 +0100
committer: Dave Airlie <airlied@redhat.com> 2016-02-10 12:39:47 +1000
commit: 3c0a03de895df2e13618a43becfd6467e3358962 (patch)
tree: 263ce307c84219f780cd8518b9c9dbf6d1c4c6c1
parent: 9be86b89fb25e54f7823a395dda99948d554fda1 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index e36e1f6..19df683 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -275,6 +275,14 @@ static int vrend_decode_set_sampler_views(struct vrend_decode_ctx *ctx, uint16_t
    num_samps = length - 2;
    shader_type = get_buf_entry(ctx, VIRGL_SET_SAMPLER_VIEWS_SHADER_TYPE);
    start_slot = get_buf_entry(ctx, VIRGL_SET_SAMPLER_VIEWS_START_SLOT);
+
+   if (shader_type >= PIPE_SHADER_TYPES)
+      return EINVAL;
+
+   if (num_samps > PIPE_MAX_SHADER_SAMPLER_VIEWS ||
+       start_slot > (PIPE_MAX_SHADER_SAMPLER_VIEWS - num_samps))
+      return EINVAL;
+
    for (i = 0; i < num_samps; i++) {
       uint32_t handle = get_buf_entry(ctx, VIRGL_SET_SAMPLER_VIEWS_V0_HANDLE + i);
       vrend_set_single_sampler_view(ctx->grctx, shader_type, i + start_slot, handle);
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2016-01-20 14:02:58 +0100
committer	Dave Airlie <airlied@redhat.com>	2016-02-10 12:39:47 +1000
commit	3c0a03de895df2e13618a43becfd6467e3358962 (patch)
tree	263ce307c84219f780cd8518b9c9dbf6d1c4c6c1
parent	9be86b89fb25e54f7823a395dda99948d554fda1 (diff)