vrend: fix buffer overflow in _mesa_DebugMessageInsert

Detected by fuzzer. glDebugMessageInsert() expects either a char buffer and non-negative length, or a null-terminated c-string and negative length. If a non-null-terminated buffer is passed with a negative length, mesa attempts to determine the length with strlen() and accesses out of bounds memory. This patch drops support for negative length, and consequently for null-terminated debug messages from virglrenderer. v2: explicitly disallow negative string lengths and null-terminated strings. Signed-off-by: Ryan Neph <ryanneph@google.com> Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
3 years ago · a108be89e3
parent 875ce171d3
commit a108be89e3
1 changed files with 4 additions and 1 deletions
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@ -1587,7 +1587,10 @@ static int vrend_decode_send_string_marker(struct vrend_context *ctx, const uint
   }

   int32_t len = get_buf_entry(buf, VIRGL_SEND_STRING_MARKER_STRING_SIZE);
-   if (len > buf_len) {
+   if (len < 0) {
+      fprintf(stderr, "String len %d < 0\n", len);
+      return EINVAL;
+   } else if (len > buf_len) {
       fprintf(stderr, "String len %d > buf_len %d\n", len, buf_len);
       return EINVAL;
   }