renderer: fix integer overflow in create shader

As the 'pkt_length' and 'offlen' can be malicious from guest,
the vrend_create_shader function has an integer overflow, this
will make the next 'memcpy' oob access. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
macos/master
Li Qiang 8 years ago committed by Dave Airlie
parent a2f12a1b0f
commit 93761787b2
  1. 9
      src/vrend_renderer.c

@ -2215,6 +2215,15 @@ int vrend_create_shader(struct vrend_context *ctx,
ret = EINVAL; ret = EINVAL;
goto error; goto error;
} }
/*make sure no overflow */
if (pkt_length * 4 < pkt_length ||
pkt_length * 4 + sel->buf_offset < pkt_length * 4 ||
pkt_length * 4 + sel->buf_offset < sel->buf_offset) {
ret = EINVAL;
goto error;
}
if ((pkt_length * 4 + sel->buf_offset) > sel->buf_len) { if ((pkt_length * 4 + sel->buf_offset) > sel->buf_len) {
fprintf(stderr, "Got too large shader continuation %d vs %d\n", fprintf(stderr, "Got too large shader continuation %d vs %d\n",
pkt_length * 4 + sel->buf_offset, sel->buf_len); pkt_length * 4 + sel->buf_offset, sel->buf_len);

Loading…
Cancel
Save