From 9033b26976dbca8d67a6ec5538711d02730cc2f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 19 Jan 2016 00:52:32 +0100 Subject: [PATCH] renderer: validate num_so_outputs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid out-of-bound acces of array so_info.output. Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau --- src/vrend_decode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/vrend_decode.c b/src/vrend_decode.c index b3c7dea..d946734 100644 --- a/src/vrend_decode.c +++ b/src/vrend_decode.c @@ -80,6 +80,9 @@ static int vrend_decode_create_shader(struct vrend_decode_ctx *ctx, offlen = get_buf_entry(ctx, VIRGL_OBJ_SHADER_OFFSET); num_so_outputs = get_buf_entry(ctx, VIRGL_OBJ_SHADER_SO_NUM_OUTPUTS); + if (num_so_outputs > PIPE_MAX_SO_OUTPUTS) + return EINVAL; + shader_offset = 6; if (num_so_outputs) { so_info.num_outputs = num_so_outputs;