From 114688c526fe45f341d75ccd1d85473c3b08f7a7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Tue, 27 Dec 2016 04:56:16 -0500
Subject: [PATCH] renderer: fix heap overflow in vertex elements state create
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The 'num_elements' can be controlled by the guest but the
'vrend_vertex_element_array' has a fixed 'elements' field.
This can cause a heap overflow. Add sanity check of 'num_elements'.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
 src/vrend_renderer.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 00b61eb..32e2e7d 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
    if (!v)
       return ENOMEM;
 
+   if (num_elements > PIPE_MAX_ATTRIBS)
+      return EINVAL;
+
    v->count = num_elements;
    for (i = 0; i < num_elements; i++) {
       memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));