From 990db949e93479e9dba88c942b4443c679e41ad9 Mon Sep 17 00:00:00 2001
From: Erik Faye-Lund <erik.faye-lund@collabora.com>
Date: Fri, 8 Mar 2019 11:32:25 +0100
Subject: [PATCH] vrend: validate transfer_mode while decoding

Signed-off-by: Erik Faye-Lund <erik.faye-lund@collabora.com>
Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
---
 src/vrend_decode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index bcef26d..293c9b0 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -1326,6 +1326,10 @@ static int vrend_decode_transfer3d(struct vrend_decode_ctx *ctx, int length, uin
    int transfer_mode = get_buf_entry(ctx, VIRGL_TRANSFER3D_DIRECTION);
    info.context0 = false;
 
+   if (transfer_mode != VIRGL_TRANSFER_TO_HOST &&
+       transfer_mode != VIRGL_TRANSFER_FROM_HOST)
+      return EINVAL;
+
    return vrend_renderer_transfer_iov(&info, transfer_mode);
 }