renderer: validate shader_type value

Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2016-01-19 01:06:55 +0100
committer: Dave Airlie <airlied@redhat.com> 2016-02-10 12:32:55 +1000
commit: 775f5ed62a4eb3ceb4960a0cd4292a14883f86d4 (patch)
tree: 8cb3b0d9687645a315ba56862cbd9205e8bed468
parent: ddb49b593125124cf63eefe24d8c4f6074c7b1ae (diff)
2 files changed, 8 insertions, 0 deletions
diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index a5467e3..ff15f35 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -898,6 +898,9 @@ static int vrend_decode_bind_sampler_states(struct vrend_decode_ctx *ctx, int le
    if (length < 2)
       return EINVAL;
 
+   if (shader_type >= PIPE_SHADER_TYPES)
+      return EINVAL;
+
    vrend_bind_sampler_states(ctx->grctx, shader_type, start_slot, num_states,
                              get_buf_ptr(ctx, VIRGL_BIND_SAMPLER_STATES_S0_HANDLE));
    return 0;
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index ab60729..fcd79c5 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -3407,6 +3407,11 @@ void vrend_bind_sampler_states(struct vrend_context *ctx,
    int i;
    struct vrend_sampler_state *state;
 
+   if (shader_type >= PIPE_SHADER_TYPES) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, shader_type);
+      return;
+   }
+
    ctx->sub->num_sampler_states[shader_type] = num_states;
 
    for (i = 0; i < num_states; i++) {
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2016-01-19 01:06:55 +0100
committer	Dave Airlie <airlied@redhat.com>	2016-02-10 12:32:55 +1000
commit	775f5ed62a4eb3ceb4960a0cd4292a14883f86d4 (patch)
tree	8cb3b0d9687645a315ba56862cbd9205e8bed468
parent	ddb49b593125124cf63eefe24d8c4f6074c7b1ae (diff)