From 0ffac9df87edc0ea4806f300565947a8bbbedfb6 Mon Sep 17 00:00:00 2001 From: Chia-I Wu Date: Tue, 17 Aug 2021 11:39:41 -0700 Subject: [PATCH] vkr: fix two more cases of NULL dereferences These are marked noautovalidity="true" in vk.xml and the decoder does not validate them. There are more incidents, but for the others, we will let VVL do its job. Reported by Yiwei. Signed-off-by: Chia-I Wu Reviewed-by: Yiwei Zhang Reviewed-by: Ryan Neph --- src/venus/vkr_command_buffer.c | 6 ++++++ src/venus/vkr_descriptor_set.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/src/venus/vkr_command_buffer.c b/src/venus/vkr_command_buffer.c index f215d65..8ea426b 100644 --- a/src/venus/vkr_command_buffer.c +++ b/src/venus/vkr_command_buffer.c @@ -77,6 +77,12 @@ vkr_dispatch_vkFreeCommandBuffers(struct vn_dispatch_context *dispatch, struct vkr_context *ctx = dispatch->data; struct list_head free_list; + /* args->pCommandBuffers is marked noautovalidity="true" */ + if (args->commandBufferCount && !args->pCommandBuffers) { + vkr_cs_decoder_set_fatal(&ctx->decoder); + return; + } + vkr_command_buffer_destroy_driver_handles(ctx, args, &free_list); vkr_context_remove_objects(ctx, &free_list); } diff --git a/src/venus/vkr_descriptor_set.c b/src/venus/vkr_descriptor_set.c index 2675add..8580466 100644 --- a/src/venus/vkr_descriptor_set.c +++ b/src/venus/vkr_descriptor_set.c @@ -108,6 +108,12 @@ vkr_dispatch_vkFreeDescriptorSets(struct vn_dispatch_context *dispatch, struct vkr_context *ctx = dispatch->data; struct list_head free_list; + /* args->pDescriptorSets is marked noautovalidity="true" */ + if (args->descriptorSetCount && !args->pDescriptorSets) { + vkr_cs_decoder_set_fatal(&ctx->decoder); + return; + } + vkr_descriptor_set_destroy_driver_handles(ctx, args, &free_list); vkr_context_remove_objects(ctx, &free_list);