gallium/tgsi: fix overflow in parse property

In parse_identifier, it doesn't stop copying '*pcur' untill encounter the NULL. As the 'ret' has a fixed-size buffer, if the '*pcur' has a long string, there will be a buffer overflow. This patch avoid this. Signed-off-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
8 years ago · e534b51ca3
parent a5ac49940c
commit e534b51ca3
1 changed files with 6 additions and 3 deletions
--- a/src/gallium/auxiliary/tgsi/tgsi_text.c
+++ b/src/gallium/auxiliary/tgsi/tgsi_text.c
@ -180,14 +180,17 @@ static boolean parse_int( const char **pcur, int *val )
   return FALSE;
 }

-static boolean parse_identifier( const char **pcur, char *ret )
+static boolean parse_identifier( const char **pcur, char *ret, size_t len )
 {
   const char *cur = *pcur;
   int i = 0;
   if (is_alpha_underscore( cur )) {
      ret[i++] = *cur++;
-      while (is_alpha_underscore( cur ) || is_digit( cur ))
+      while (is_alpha_underscore( cur ) || is_digit( cur )) {
+         if (i == len - 1)
+            return FALSE;
         ret[i++] = *cur++;
+      }
      ret[i++] = '\0';
      *pcur = cur;
      return TRUE;
@ -1590,7 +1593,7 @@ static boolean parse_property( struct translate_ctx *ctx )
      report_error( ctx, "Syntax error" );
      return FALSE;
   }
-   if (!parse_identifier( &ctx->cur, id )) {
+   if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
      report_error( ctx, "Syntax error" );
      return FALSE;
   }