From b079de618e6e68c94739f5c2615367e63509c3af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 19 Jan 2016 13:54:28 +0100
Subject: [PATCH] renderer: validate scissor state index
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check the the index is < PIPE_MAX_VIEWPORTS.

Fix found thanks to american fuzzy lop.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/vrend_renderer.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 510285a..20d2946 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -2311,6 +2311,10 @@ static void vrend_update_scissor_state(struct vrend_context *ctx)
 
    while (mask) {
       idx = u_bit_scan(&mask);
+      if (idx >= PIPE_MAX_VIEWPORTS) {
+         vrend_report_buffer_error(ctx, 0);
+         break;
+      }
       ss = &ctx->sub->ss[idx];
       if (ctx->sub->viewport_is_negative)
          y = ss->miny;
@@ -4939,6 +4943,13 @@ void vrend_set_scissor_state(struct vrend_context *ctx,
                              struct pipe_scissor_state *ss)
 {
    int i, idx;
+
+   if (start_slot > PIPE_MAX_VIEWPORTS ||
+       num_scissor > (PIPE_MAX_VIEWPORTS - start_slot)) {
+      vrend_report_buffer_error(ctx, 0);
+      return;
+   }
+
    for (i = 0; i < num_scissor; i++) {
       idx = start_slot + i;
       ctx->sub->ss[idx] = ss[i];