renderer: prevent out of bound vps access

Fix found thanks to american fuzzy lop.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
macos/master
Marc-André Lureau 9 years ago committed by Dave Airlie
parent 18e4808c1d
commit bfa6cd741d
  1. 2
      src/vrend_decode.c
  2. 10
      src/vrend_renderer.c
  3. 2
      src/vrend_renderer.h

@ -172,7 +172,7 @@ static int vrend_decode_set_viewport_state(struct vrend_decode_ctx *ctx, int len
{
struct pipe_viewport_state vps[PIPE_MAX_VIEWPORTS];
int i, v;
int num_viewports, start_slot;
uint32_t num_viewports, start_slot;
if (length < 1)
return EINVAL;

@ -1562,8 +1562,8 @@ void vrend_set_framebuffer_state(struct vrend_context *ctx,
* an FBO already so don't need to invert rendering?
*/
void vrend_set_viewport_states(struct vrend_context *ctx,
int start_slot,
int num_viewports,
uint32_t start_slot,
uint32_t num_viewports,
const struct pipe_viewport_state *state)
{
/* convert back to glViewport */
@ -1574,6 +1574,12 @@ void vrend_set_viewport_states(struct vrend_context *ctx,
GLfloat abs_s1 = fabsf(state->scale[1]);
int i, idx;
if (num_viewports > PIPE_MAX_VIEWPORTS ||
start_slot > (PIPE_MAX_VIEWPORTS - num_viewports)) {
report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, num_viewports);
return;
}
for (i = 0; i < num_viewports; i++) {
idx = start_slot + i;

@ -210,7 +210,7 @@ int vrend_transfer_inline_write(struct vrend_context *ctx,
unsigned usage);
void vrend_set_viewport_states(struct vrend_context *ctx,
int start_slot, int num_viewports,
uint32_t start_slot, uint32_t num_viewports,
const struct pipe_viewport_state *state);
void vrend_set_num_sampler_views(struct vrend_context *ctx,
uint32_t shader_type,

Loading…
Cancel
Save