From edd24783581f6ed3cd83072f7d0475dce24123e9 Mon Sep 17 00:00:00 2001
From: Po-Hsien Wang <pwang@chromium.org>
Date: Fri, 20 Jul 2018 15:01:04 -0700
Subject: [PATCH] Fix create_shader buf boundary check

Adding check for the length of the buf to avoid buffer overflow attack.

Signed-off-by: Dave Airlie <airlied@redhat.com>
---
 src/vrend_decode.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index 11fe149..7013cd5 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -73,7 +73,7 @@ static int vrend_decode_create_shader(struct vrend_decode_ctx *ctx,
    uint8_t *shd_text;
    uint32_t type;
 
-   if (length < 5)
+   if (length < VIRGL_OBJ_SHADER_HDR_SIZE(0))
       return EINVAL;
 
    type = get_buf_entry(ctx, VIRGL_OBJ_SHADER_TYPE);
@@ -81,6 +81,8 @@ static int vrend_decode_create_shader(struct vrend_decode_ctx *ctx,
    offlen = get_buf_entry(ctx, VIRGL_OBJ_SHADER_OFFSET);
    num_so_outputs = get_buf_entry(ctx, VIRGL_OBJ_SHADER_SO_NUM_OUTPUTS);
 
+   if (length < VIRGL_OBJ_SHADER_HDR_SIZE(num_so_outputs))
+      return EINVAL;
    if (num_so_outputs > PIPE_MAX_SO_OUTPUTS)
       return EINVAL;