From 64c946958737eef1e3c113775483bd4073a05299 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Thu, 4 Feb 2016 08:44:22 +0100
Subject: [PATCH] decode: check streamout-targets num_handles
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prevent out-of-bound array access.

Found thanks to AddressSanitizer & american fuzzy lop.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/vrend_decode.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index fad633e..36d4925 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -1025,6 +1025,9 @@ static int vrend_decode_set_streamout_targets(struct vrend_decode_ctx *ctx,
 
    if (length < 1)
       return EINVAL;
+   if (num_handles > ARRAY_SIZE(handles))
+      return EINVAL;
+
    append_bitmask = get_buf_entry(ctx, VIRGL_SET_STREAMOUT_TARGETS_APPEND_BITMASK);
    for (i = 0; i < num_handles; i++)
       handles[i] = get_buf_entry(ctx, VIRGL_SET_STREAMOUT_TARGETS_H0 + i);