vrend: Check number of ABOs transmitted from the guest

If the value indicating the number of ABOs is very large, the current tests were not sufficient to insure out-of-range array access, because the integer subtraction might overflow. Check the actual number of ABOs too to avoid this. Fixes #160 Signed-off-by: Gert Wollny <gert.wollny@collabora.com> Reviewed-by: Lepton Wu <lepton@chromium.org>
5 years ago · 5bc1a77c0e
parent 4df12ad51f
commit 5bc1a77c0e
1 changed files with 2 additions and 1 deletions
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@ -1192,7 +1192,8 @@ static int vrend_decode_set_atomic_buffers(struct vrend_decode_ctx *ctx, uint16_
   if (num_abo < 1)
      return 0;
-   if (start_slot > PIPE_MAX_HW_ATOMIC_BUFFERS ||
+   if (num_abo > PIPE_MAX_HW_ATOMIC_BUFFERS ||
       start_slot > PIPE_MAX_HW_ATOMIC_BUFFERS ||
       start_slot > PIPE_MAX_HW_ATOMIC_BUFFERS - num_abo)
      return EINVAL;