renderer: over-allocate shader buffer

Since the memcpy() is done over multiple of 4 bytes, over-allocate the destination buffer to fit multiple of 4 shader length. Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2016-01-21 14:28:53 +0100
committer: Dave Airlie <airlied@redhat.com> 2016-02-10 12:39:47 +1000
commit: 043905990f611a150f02d6ef8e0da2353b5705dc (patch)
tree: 24a1cb8f13d02eaf3a0d8fafc4cf0fa828b4cd36
parent: e215bde74e4ddbffe73fd81327b4df577acc4e4d (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 05a2ed7..78792d7 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -2155,12 +2155,12 @@ int vrend_create_shader(struct vrend_context *ctx,
        return ENOMEM;
 
      if (long_shader) {
-        sel->tmp_buf = malloc(offlen);
+        sel->buf_len = ((offlen + 3) / 4) * 4; /* round up buffer size */
+        sel->tmp_buf = malloc(sel->buf_len);
         if (!sel->tmp_buf) {
            free(sel);
            return ENOMEM;
         }
-        sel->buf_len = offlen;
         memcpy(sel->tmp_buf, shd_text, pkt_length * 4);
         sel->buf_offset = pkt_length * 4;
         ctx->sub->long_shader_in_progress_handle[type] = handle;
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2016-01-21 14:28:53 +0100
committer	Dave Airlie <airlied@redhat.com>	2016-02-10 12:39:47 +1000
commit	043905990f611a150f02d6ef8e0da2353b5705dc (patch)
tree	24a1cb8f13d02eaf3a0d8fafc4cf0fa828b4cd36
parent	e215bde74e4ddbffe73fd81327b4df577acc4e4d (diff)