From 9033b26976dbca8d67a6ec5538711d02730cc2f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 19 Jan 2016 00:52:32 +0100
Subject: [PATCH] renderer: validate num_so_outputs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Avoid out-of-bound acces of array so_info.output.

Fix found thanks to american fuzzy lop.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/vrend_decode.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index b3c7dea..d946734 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -80,6 +80,9 @@ static int vrend_decode_create_shader(struct vrend_decode_ctx *ctx,
    offlen = get_buf_entry(ctx, VIRGL_OBJ_SHADER_OFFSET);
    num_so_outputs = get_buf_entry(ctx, VIRGL_OBJ_SHADER_SO_NUM_OUTPUTS);
 
+   if (num_so_outputs > PIPE_MAX_SO_OUTPUTS)
+      return EINVAL;
+
    shader_offset = 6;
    if (num_so_outputs) {
       so_info.num_outputs = num_so_outputs;