third_party
/
virglrenderer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

renderer: fix heap overflow in vertex elements state create

Browse Source 
The 'num_elements' can be controlled by the guest but the
'vrend_vertex_element_array' has a fixed 'elements' field.
This can cause a heap overflow. Add sanity check of 'num_elements'.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
macos/master
Li Qiang 8 years ago committed by Dave Airlie
parent 28894a30a1
commit 114688c526
1 changed files with 3 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      src/vrend_renderer.c

3
src/vrend_renderer.c
Unescape View File

@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
if (!v) if (!v)
return ENOMEM; return ENOMEM;
if (num_elements > PIPE_MAX_ATTRIBS)
return EINVAL;
v->count = num_elements; v->count = num_elements;
for (i = 0; i < num_elements; i++) { for (i = 0; i < num_elements; i++) {
memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element)); memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));

Write Preview
Loading…
Cancel
Save