renderer: avoid out of bound sampler array access

Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
9 years ago · 18e4808c1d
parent 775f5ed62a
commit 18e4808c1d
1 changed files with 6 additions and 0 deletions
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@ -3412,6 +3412,12 @@ void vrend_bind_sampler_states(struct vrend_context *ctx,
      return;
   }

+   if (num_states > PIPE_MAX_SAMPLERS ||
+       start_slot > (PIPE_MAX_SAMPLERS - num_states)) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, num_states);
+      return;
+   }
+
   ctx->sub->num_sampler_states[shader_type] = num_states;

   for (i = 0; i < num_states; i++) {