third_party
/
virglrenderer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

vrend: add sanity check for vertext buffer index

Browse Source 
The vertext_buffer_index is read from guest and then used
to index the 'vbo' array in struct 'vrend_sub_context'.
Add sanity check for this to avoid oob issue.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
macos/master
Li Qiang 8 years ago committed by Dave Airlie
parent 6eb13f7a2d
commit a5ac49940c
1 changed files with 4 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      src/vrend_decode.c

4
src/vrend_decode.c
Unescape View File

@ -612,6 +612,10 @@ static int vrend_decode_create_ve(struct vrend_decode_ctx *ctx, uint32_t handle,
ve[i].src_offset = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_SRC_OFFSET(i)); ve[i].src_offset = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_SRC_OFFSET(i));
ve[i].instance_divisor = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_INSTANCE_DIVISOR(i)); ve[i].instance_divisor = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_INSTANCE_DIVISOR(i));
ve[i].vertex_buffer_index = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_VERTEX_BUFFER_INDEX(i)); ve[i].vertex_buffer_index = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_VERTEX_BUFFER_INDEX(i));
if (ve[i].vertex_buffer_index >= PIPE_MAX_ATTRIBS)
return EINVAL;
ve[i].src_format = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_SRC_FORMAT(i)); ve[i].src_format = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_SRC_FORMAT(i));
} }
} }

Write Preview
Loading…
Cancel
Save