renderer: over-allocate shader buffer

Since the memcpy() is done over multiple of 4 bytes, over-allocate the destination buffer to fit multiple of 4 shader length. Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
9 years ago · 043905990f
parent e215bde74e
commit 043905990f
1 changed files with 2 additions and 2 deletions
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@ -2155,12 +2155,12 @@ int vrend_create_shader(struct vrend_context *ctx,
       return ENOMEM;

     if (long_shader) {
-        sel->tmp_buf = malloc(offlen);
+        sel->buf_len = ((offlen + 3) / 4) * 4; /* round up buffer size */
+        sel->tmp_buf = malloc(sel->buf_len);
        if (!sel->tmp_buf) {
           free(sel);
           return ENOMEM;
        }
-        sel->buf_len = offlen;
        memcpy(sel->tmp_buf, shd_text, pkt_length * 4);
        sel->buf_offset = pkt_length * 4;
        ctx->sub->long_shader_in_progress_handle[type] = handle;