Detected by fuzzer. glDebugMessageInsert() expects either a char buffer and non-negative length, or a null-terminated c-string and negative length. If a non-null-terminated buffer is passed with a negative length, mesa attempts to determine the length with strlen() and accesses out of bounds memory. This patch drops support for negative length, and consequently for null-terminated debug messages from virglrenderer. v2: explicitly disallow negative string lengths and null-terminated strings. Signed-off-by: Ryan Neph <ryanneph@google.com> Reviewed-by: Chia-I Wu <olvaffe@gmail.com>macos/master
parent
875ce171d3
commit
a108be89e3
Loading…
Reference in new issue