third_party
/
virglrenderer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

renderer: fix integer overflow in create shader

Browse Source 
As the 'pkt_length' and 'offlen' can be malicious from guest,
the vrend_create_shader function has an integer overflow, this
will make the next 'memcpy' oob access. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
macos/master
Li Qiang 8 years ago committed by Dave Airlie
parent a2f12a1b0f
commit 93761787b2
1 changed files with 9 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 9
      src/vrend_renderer.c

9
src/vrend_renderer.c
Unescape View File

@ -2215,6 +2215,15 @@ int vrend_create_shader(struct vrend_context *ctx,
ret = EINVAL; ret = EINVAL;
goto error; goto error;
} }
/*make sure no overflow */
if (pkt_length * 4 < pkt_length ||
pkt_length * 4 + sel->buf_offset < pkt_length * 4 ||
pkt_length * 4 + sel->buf_offset < sel->buf_offset) {
ret = EINVAL;
goto error;
}
if ((pkt_length * 4 + sel->buf_offset) > sel->buf_len) { if ((pkt_length * 4 + sel->buf_offset) > sel->buf_len) {
fprintf(stderr, "Got too large shader continuation %d vs %d\n", fprintf(stderr, "Got too large shader continuation %d vs %d\n",
pkt_length * 4 + sel->buf_offset, sel->buf_len); pkt_length * 4 + sel->buf_offset, sel->buf_len);

Write Preview
Loading…
Cancel
Save