From 48f67f60967f963b698ec8df57ec6912a43d6282 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Thu, 29 Dec 2016 05:57:40 -0500
Subject: [PATCH] renderer: fix NULL pointer deref in vrend_clear

In vrend clear dispatch function, the 'buffers' is read from
guest. A malicious guest can specify a bad 'buffers' to make
a the function call util_format_is_pure_uint() even the
'ctx->sub->surf[i]' is NULL. This can cause a NULL pointer deref.
Make a sanity check to avoid this.

[airlied: use a define]

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
 src/vrend_renderer.c | 8 ++++----
 src/vrend_renderer.h | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 0af91ae..1bca7ad 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -325,7 +325,7 @@ struct vrend_sub_context {
    uint32_t fb_id;
    int nr_cbufs, old_nr_cbufs;
    struct vrend_surface *zsurf;
-   struct vrend_surface *surf[8];
+   struct vrend_surface *surf[PIPE_MAX_COLOR_BUFS];
 
    struct vrend_viewport vps[PIPE_MAX_VIEWPORTS];
    float depth_transform, depth_scale;
@@ -1482,7 +1482,7 @@ static void vrend_hw_emit_framebuffer_state(struct vrend_context *ctx)
 }
 
 void vrend_set_framebuffer_state(struct vrend_context *ctx,
-                                 uint32_t nr_cbufs, uint32_t surf_handle[8],
+                                 uint32_t nr_cbufs, uint32_t surf_handle[PIPE_MAX_COLOR_BUFS],
                                  uint32_t zsurf_handle)
 {
    struct vrend_surface *surf, *zsurf;
@@ -2367,10 +2367,10 @@ void vrend_clear(struct vrend_context *ctx,
          mask = buffers >> 2;
          while (mask) {
             i = u_bit_scan(&mask);
-            if (util_format_is_pure_uint(ctx->sub->surf[i]->format))
+            if (i < PIPE_MAX_COLOR_BUFS && ctx->sub->surf[i] && util_format_is_pure_uint(ctx->sub->surf[i] && ctx->sub->surf[i]->format))
                glClearBufferuiv(GL_COLOR,
                                 i, (GLuint *)color);
-            else if (util_format_is_pure_sint(ctx->sub->surf[i]->format))
+            else if (i < PIPE_MAX_COLOR_BUFS && ctx->sub->surf[i] && util_format_is_pure_sint(ctx->sub->surf[i] && ctx->sub->surf[i]->format))
                glClearBufferiv(GL_COLOR,
                                 i, (GLint *)color);
             else
diff --git a/src/vrend_renderer.h b/src/vrend_renderer.h
index dde7d75..b9eeb71 100644
--- a/src/vrend_renderer.h
+++ b/src/vrend_renderer.h
@@ -127,7 +127,7 @@ void vrend_draw_vbo(struct vrend_context *ctx,
                     uint32_t cso);
 
 void vrend_set_framebuffer_state(struct vrend_context *ctx,
-                                 uint32_t nr_cbufs, uint32_t surf_handle[8],
+                                 uint32_t nr_cbufs, uint32_t surf_handle[PIPE_MAX_COLOR_BUFS],
                                  uint32_t zsurf_handle);
 
 struct vrend_context *vrend_create_context(int id, uint32_t nlen, const char *debug_name);