From 8c9cfb4e425542e96f0717189fe4658555baaf08 Mon Sep 17 00:00:00 2001 From: Gert Wollny Date: Tue, 8 Oct 2019 17:26:22 +0200 Subject: [PATCH] tests: Add trigger for overflow in texture data upload Related #140 Signed-off-by: Gert Wollny Acked-by: Emil Velikov --- tests/test_fuzzer_formats.c | 41 +++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c index 283a252..09fd113 100644 --- a/tests/test_fuzzer_formats.c +++ b/tests/test_fuzzer_formats.c @@ -614,6 +614,46 @@ static void test_heap_overflow_vrend_renderer_transfer_write_iov() virgl_renderer_submit_cmd((void *) cmd, ctx_id, 11 + 4 + 1); } +static void test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex() +{ + struct virgl_renderer_resource_create_args args; + args.handle = 1; + args.target = 5; + args.format = 203; + args.bind = 1; + args.width = 100; + args.height = 1; + args.depth = 1; + args.array_size = 0; + args.last_level = 0; + args.nr_samples = 0; + args.flags = 1; + + virgl_renderer_resource_create(&args, NULL, 0); + virgl_renderer_ctx_attach_resource(ctx_id, args.handle); + + char data[16]; + memset(data, 'A', 16); + uint32_t cmd[11 + 4 +1]; + + int i = 0; + cmd[i++] = (11+4) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; + cmd[i++] = 1; // handle + cmd[i++] = 0; // level + cmd[i++] = 0; // usage + cmd[i++] = 135168; // stride + cmd[i++] = 655361; // layer_stride + cmd[i++] = 1; // x + cmd[i++] = 0; // y + cmd[i++] = 0; // z + cmd[i++] = 5; // w + cmd[i++] = 1; // h + cmd[i++] = 0; // d + memcpy(&cmd[i], data, 16); + + virgl_renderer_submit_cmd((void *) cmd, ctx_id, 11 + 4 + 1); +} + int main() { initialize_environment(); @@ -630,6 +670,7 @@ int main() test_format_is_has_alpha_nullptr_deref_trigger_legal_resource(); test_heap_overflow_vrend_renderer_transfer_write_iov(); + test_heap_overflow_vrend_renderer_transfer_write_iov_compressed_tex(); virgl_renderer_context_destroy(ctx_id); virgl_renderer_cleanup(&cookie);