Fix create_shader buf boundary check

Adding check for the length of the buf to avoid buffer overflow attack. Signed-off-by: Dave Airlie <airlied@redhat.com>
6 years ago · edd2478358
parent fe7a1efc7f
commit edd2478358
1 changed files with 3 additions and 1 deletions
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@ -73,7 +73,7 @@ static int vrend_decode_create_shader(struct vrend_decode_ctx *ctx,
   uint8_t *shd_text;
   uint32_t type;

-   if (length < 5)
+   if (length < VIRGL_OBJ_SHADER_HDR_SIZE(0))
      return EINVAL;

   type = get_buf_entry(ctx, VIRGL_OBJ_SHADER_TYPE);
@ -81,6 +81,8 @@ static int vrend_decode_create_shader(struct vrend_decode_ctx *ctx,
   offlen = get_buf_entry(ctx, VIRGL_OBJ_SHADER_OFFSET);
   num_so_outputs = get_buf_entry(ctx, VIRGL_OBJ_SHADER_SO_NUM_OUTPUTS);

+   if (length < VIRGL_OBJ_SHADER_HDR_SIZE(num_so_outputs))
+      return EINVAL;
   if (num_so_outputs > PIPE_MAX_SO_OUTPUTS)
      return EINVAL;