vrend: fix buffer overflow in _mesa_DebugMessageInsert

Detected by fuzzer.

glDebugMessageInsert() expects either a char buffer and non-negative
length, or a null-terminated c-string and negative length. If a
non-null-terminated buffer is passed with a negative length, mesa
attempts to determine the length with strlen() and accesses out of
bounds memory.

This patch drops support for negative length, and consequently for
null-terminated debug messages from virglrenderer.

v2: explicitly disallow negative string lengths and null-terminated
    strings.

Signed-off-by: Ryan Neph <ryanneph@google.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
macos/master
Ryan Neph 3 years ago
parent 875ce171d3
commit a108be89e3
  1. 5
      src/vrend_decode.c

@ -1587,7 +1587,10 @@ static int vrend_decode_send_string_marker(struct vrend_context *ctx, const uint
}
int32_t len = get_buf_entry(buf, VIRGL_SEND_STRING_MARKER_STRING_SIZE);
if (len > buf_len) {
if (len < 0) {
fprintf(stderr, "String len %d < 0\n", len);
return EINVAL;
} else if (len > buf_len) {
fprintf(stderr, "String len %d > buf_len %d\n", len, buf_len);
return EINVAL;
}

Loading…
Cancel
Save