decode: fix set_scissor_state bounds

Do not accept negative values for num & start. Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
9 years ago · ec24bd2211
parent 78f8994a63
commit ec24bd2211
3 changed files with 5 additions and 5 deletions
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@ -762,7 +762,7 @@ static int vrend_decode_set_scissor_state(struct vrend_decode_ctx *ctx, int leng
 {
   struct pipe_scissor_state ss[PIPE_MAX_VIEWPORTS];
   uint32_t temp;
-   int num_scissor, start_slot;
+   uint32_t num_scissor, start_slot;
   int s;
   if (length < 1)
      return EINVAL;
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@ -4972,8 +4972,8 @@ void vrend_set_blend_color(struct vrend_context *ctx,
 }

 void vrend_set_scissor_state(struct vrend_context *ctx,
-                             int start_slot,
-                             int num_scissor,
+                             uint32_t start_slot,
+                             uint32_t num_scissor,
                             struct pipe_scissor_state *ss)
 {
   int i, idx;
--- a/src/vrend_renderer.h
+++ b/src/vrend_renderer.h
@ -255,8 +255,8 @@ void vrend_renderer_blit(struct vrend_context *ctx,
 void vrend_set_stencil_ref(struct vrend_context *ctx, struct pipe_stencil_ref *ref);
 void vrend_set_blend_color(struct vrend_context *ctx, struct pipe_blend_color *color);
 void vrend_set_scissor_state(struct vrend_context *ctx,
-                             int start_slot,
-                             int num_scissor,
+                             uint32_t start_slot,
+                             uint32_t num_scissor,
                             struct pipe_scissor_state *ss);

 void vrend_set_polygon_stipple(struct vrend_context *ctx, struct pipe_poly_stipple *ps);