renderer: validate scissor state index

Check the the index is < PIPE_MAX_VIEWPORTS.

Fix found thanks to american fuzzy lop.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
macos/master
Marc-André Lureau 9 years ago committed by Dave Airlie
parent 2aa6c5bca9
commit b079de618e
  1. 11
      src/vrend_renderer.c

@ -2311,6 +2311,10 @@ static void vrend_update_scissor_state(struct vrend_context *ctx)
while (mask) { while (mask) {
idx = u_bit_scan(&mask); idx = u_bit_scan(&mask);
if (idx >= PIPE_MAX_VIEWPORTS) {
vrend_report_buffer_error(ctx, 0);
break;
}
ss = &ctx->sub->ss[idx]; ss = &ctx->sub->ss[idx];
if (ctx->sub->viewport_is_negative) if (ctx->sub->viewport_is_negative)
y = ss->miny; y = ss->miny;
@ -4939,6 +4943,13 @@ void vrend_set_scissor_state(struct vrend_context *ctx,
struct pipe_scissor_state *ss) struct pipe_scissor_state *ss)
{ {
int i, idx; int i, idx;
if (start_slot > PIPE_MAX_VIEWPORTS ||
num_scissor > (PIPE_MAX_VIEWPORTS - start_slot)) {
vrend_report_buffer_error(ctx, 0);
return;
}
for (i = 0; i < num_scissor; i++) { for (i = 0; i < num_scissor; i++) {
idx = start_slot + i; idx = start_slot + i;
ctx->sub->ss[idx] = ss[i]; ctx->sub->ss[idx] = ss[i];

Loading…
Cancel
Save