vrend: fix VREND_MAX_CTX checks

Context array is declared as dec_ctx[VREND_MAX_CTX], virgl shouldn't accept id
== VREND_MAX_CTX.

Found thanks to AddressSanitizer.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
macos/master
Marc-André Lureau 9 years ago committed by Dave Airlie
parent c01d5be76a
commit 9a2464c027
  1. 11
      src/vrend_decode.c

@ -1040,7 +1040,7 @@ void vrend_renderer_context_create_internal(uint32_t handle, uint32_t nlen,
{ {
struct vrend_decode_ctx *dctx; struct vrend_decode_ctx *dctx;
if (handle > VREND_MAX_CTX) if (handle >= VREND_MAX_CTX)
return; return;
dctx = malloc(sizeof(struct vrend_decode_ctx)); dctx = malloc(sizeof(struct vrend_decode_ctx));
@ -1060,8 +1060,9 @@ void vrend_renderer_context_create_internal(uint32_t handle, uint32_t nlen,
int vrend_renderer_context_create(uint32_t handle, uint32_t nlen, const char *debug_name) int vrend_renderer_context_create(uint32_t handle, uint32_t nlen, const char *debug_name)
{ {
if (handle > VREND_MAX_CTX) if (handle >= VREND_MAX_CTX)
return EINVAL; return EINVAL;
/* context 0 is always available with no guarantees */ /* context 0 is always available with no guarantees */
if (handle == 0) if (handle == 0)
return EINVAL; return EINVAL;
@ -1075,7 +1076,7 @@ void vrend_renderer_context_destroy(uint32_t handle)
struct vrend_decode_ctx *ctx; struct vrend_decode_ctx *ctx;
bool ret; bool ret;
if (handle > VREND_MAX_CTX) if (handle >= VREND_MAX_CTX)
return; return;
ctx = dec_ctx[handle]; ctx = dec_ctx[handle];
@ -1091,7 +1092,7 @@ void vrend_renderer_context_destroy(uint32_t handle)
struct vrend_context *vrend_lookup_renderer_ctx(uint32_t ctx_id) struct vrend_context *vrend_lookup_renderer_ctx(uint32_t ctx_id)
{ {
if (ctx_id > VREND_MAX_CTX) if (ctx_id >= VREND_MAX_CTX)
return NULL; return NULL;
if (dec_ctx[ctx_id] == NULL) if (dec_ctx[ctx_id] == NULL)
@ -1105,7 +1106,7 @@ int vrend_decode_block(uint32_t ctx_id, uint32_t *block, int ndw)
struct vrend_decode_ctx *gdctx; struct vrend_decode_ctx *gdctx;
bool bret; bool bret;
int ret; int ret;
if (ctx_id > VREND_MAX_CTX) if (ctx_id >= VREND_MAX_CTX)
return EINVAL; return EINVAL;
if (dec_ctx[ctx_id] == NULL) if (dec_ctx[ctx_id] == NULL)

Loading…
Cancel
Save