diff options
| author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2016-01-19 17:49:22 +0100 |
|---|---|---|
| committer | Dave Airlie <airlied@redhat.com> | 2016-02-10 12:39:47 +1000 |
| commit | bfa6cd741d2d1bf272c2ae1c201e6377041c9ac2 (patch) | |
| tree | e8d5d5f370b979a2857a091eed605fcd23c1b3b2 | |
| parent | 18e4808c1d4de0709c6643486a83935703e3fac0 (diff) | |
renderer: prevent out of bound vps access
Fix found thanks to american fuzzy lop.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
| -rw-r--r-- | src/vrend_decode.c | 2 | ||||
| -rw-r--r-- | src/vrend_renderer.c | 10 | ||||
| -rw-r--r-- | src/vrend_renderer.h | 2 |
3 files changed, 10 insertions, 4 deletions
diff --git a/src/vrend_decode.c b/src/vrend_decode.c index ff15f35..e36e1f6 100644 --- a/src/vrend_decode.c +++ b/src/vrend_decode.c @@ -172,7 +172,7 @@ static int vrend_decode_set_viewport_state(struct vrend_decode_ctx *ctx, int len { struct pipe_viewport_state vps[PIPE_MAX_VIEWPORTS]; int i, v; - int num_viewports, start_slot; + uint32_t num_viewports, start_slot; if (length < 1) return EINVAL; diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c index c8e5b60..2e380a9 100644 --- a/src/vrend_renderer.c +++ b/src/vrend_renderer.c @@ -1562,8 +1562,8 @@ void vrend_set_framebuffer_state(struct vrend_context *ctx, * an FBO already so don't need to invert rendering? */ void vrend_set_viewport_states(struct vrend_context *ctx, - int start_slot, - int num_viewports, + uint32_t start_slot, + uint32_t num_viewports, const struct pipe_viewport_state *state) { /* convert back to glViewport */ @@ -1574,6 +1574,12 @@ void vrend_set_viewport_states(struct vrend_context *ctx, GLfloat abs_s1 = fabsf(state->scale[1]); int i, idx; + if (num_viewports > PIPE_MAX_VIEWPORTS || + start_slot > (PIPE_MAX_VIEWPORTS - num_viewports)) { + report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, num_viewports); + return; + } + for (i = 0; i < num_viewports; i++) { idx = start_slot + i; diff --git a/src/vrend_renderer.h b/src/vrend_renderer.h index 79fe081..78d00bd 100644 --- a/src/vrend_renderer.h +++ b/src/vrend_renderer.h @@ -210,7 +210,7 @@ int vrend_transfer_inline_write(struct vrend_context *ctx, unsigned usage); void vrend_set_viewport_states(struct vrend_context *ctx, - int start_slot, int num_viewports, + uint32_t start_slot, uint32_t num_viewports, const struct pipe_viewport_state *state); void vrend_set_num_sampler_views(struct vrend_context *ctx, uint32_t shader_type, |