renderer: validate scissor state index

Check the the index is < PIPE_MAX_VIEWPORTS. Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
author: Marc-André Lureau <marcandre.lureau@redhat.com> 2016-01-19 13:54:28 +0100
committer: Dave Airlie <airlied@redhat.com> 2016-02-10 12:01:16 +1000
commit: b079de618e6e68c94739f5c2615367e63509c3af (patch)
tree: 9f59f23be0360b4c485794f56b27c4168ab270a8
parent: 2aa6c5bca976a68391ed806dbfa5f9236f07d4f5 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 510285a..20d2946 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -2311,6 +2311,10 @@ static void vrend_update_scissor_state(struct vrend_context *ctx)
 
    while (mask) {
       idx = u_bit_scan(&mask);
+      if (idx >= PIPE_MAX_VIEWPORTS) {
+         vrend_report_buffer_error(ctx, 0);
+         break;
+      }
       ss = &ctx->sub->ss[idx];
       if (ctx->sub->viewport_is_negative)
          y = ss->miny;
@@ -4939,6 +4943,13 @@ void vrend_set_scissor_state(struct vrend_context *ctx,
                              struct pipe_scissor_state *ss)
 {
    int i, idx;
+
+   if (start_slot > PIPE_MAX_VIEWPORTS ||
+       num_scissor > (PIPE_MAX_VIEWPORTS - start_slot)) {
+      vrend_report_buffer_error(ctx, 0);
+      return;
+   }
+
    for (i = 0; i < num_scissor; i++) {
       idx = start_slot + i;
       ctx->sub->ss[idx] = ss[i];
author	Marc-André Lureau <marcandre.lureau@redhat.com>	2016-01-19 13:54:28 +0100
committer	Dave Airlie <airlied@redhat.com>	2016-02-10 12:01:16 +1000
commit	b079de618e6e68c94739f5c2615367e63509c3af (patch)
tree	9f59f23be0360b4c485794f56b27c4168ab270a8
parent	2aa6c5bca976a68391ed806dbfa5f9236f07d4f5 (diff)