Allocate enough room for both reset & flags attributes

ctx_attribs had room for 3 pairs of attributes, but if both flags & reset attributes were being returned it was storing 4 pairs in the array. Found by Coverity #53442: Out-of-bounds write This could cause an immediate crash or incorrect computations. In create_driver_context: Out-of-bounds write to a buffer (CWE-119) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Keith Packard <keithp@keithp.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2014-10-09 05:42:08 -0700
committer: Keith Packard <keithp@keithp.com> 2014-10-23 17:31:59 -0700
commit: 7e5bc49d1ed2c78c321da79bdbc99b90c5f95b38 (patch)
tree: 858b56f5fadac5325cf1cd3519690f4ca8b38016 /glx
parent: cffd4e4a4ee615d8583eae78b35017e0d1bfa4f0 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/glx/glxdri2.c b/glx/glxdri2.c
index c756bf570..5a8966f74 100644
--- a/glx/glxdri2.c
+++ b/glx/glxdri2.c
@@ -475,7 +475,7 @@ create_driver_context(__GLXDRIcontext * context,
     context->driContext = NULL;
 
     if (screen->dri2->base.version >= 3) {
-        uint32_t ctx_attribs[3 * 2];
+        uint32_t ctx_attribs[4 * 2];
         unsigned num_ctx_attribs = 0;
         unsigned dri_err = 0;
         unsigned major_ver;
@@ -510,6 +510,8 @@ create_driver_context(__GLXDRIcontext * context,
                     __DRI_CTX_ATTRIB_RESET_STRATEGY;
                 ctx_attribs[num_ctx_attribs++] = reset;
             }
+
+            assert(num_ctx_attribs <= ARRAY_SIZE(ctx_attribs));
         }
 
         context->driContext =
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2014-10-09 05:42:08 -0700
committer	Keith Packard <keithp@keithp.com>	2014-10-23 17:31:59 -0700
commit	7e5bc49d1ed2c78c321da79bdbc99b90c5f95b38 (patch)
tree	858b56f5fadac5325cf1cd3519690f4ca8b38016 /glx
parent	cffd4e4a4ee615d8583eae78b35017e0d1bfa4f0 (diff)