Mesa (bug-109980): egl/dri: Avoid out of bounds array access
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Wed Mar 13 18:54:16 UTC 2019
Module: Mesa
Branch: bug-109980
Commit: 70b36c0ef939048acb9c4727b2e4280fc090eb74
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=70b36c0ef939048acb9c4727b2e4280fc090eb74
Author: Kevin Strasser <kevin.strasser at intel.com>
Date: Mon Jan 28 10:42:44 2019 -0800
egl/dri: Avoid out of bounds array access
indexConfigAttrib iterates over every index in the dri driver, possibly
exceeding __DRI_ATTRIB_MAX. In other words, if the dri driver has newer
attributes libEGL will end up reading from uninitialized memory through
dri2_to_egl_attribute_map[].
Signed-off-by: Kevin Strasser <kevin.strasser at intel.com>
Cc: mesa-stable at lists.freedesktop.org
Reviewed-by: Emil Velikov <emil.velikov at collabora.com>
---
src/egl/drivers/dri2/egl_dri2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/egl/drivers/dri2/egl_dri2.c b/src/egl/drivers/dri2/egl_dri2.c
index 9c9b753fafe..6acc99aa62a 100644
--- a/src/egl/drivers/dri2/egl_dri2.c
+++ b/src/egl/drivers/dri2/egl_dri2.c
@@ -213,8 +213,10 @@ dri2_add_config(_EGLDisplay *disp, const __DRIconfig *dri_config, int id,
bind_to_texture_rgb = 0;
bind_to_texture_rgba = 0;
- for (int i = 0; dri2_dpy->core->indexConfigAttrib(dri_config, i, &attrib,
- &value); ++i) {
+ for (int i = 0; i < __DRI_ATTRIB_MAX; ++i) {
+ if (!dri2_dpy->core->indexConfigAttrib(dri_config, i, &attrib, &value))
+ break;
+
switch (attrib) {
case __DRI_ATTRIB_RENDER_TYPE:
if (value & __DRI_ATTRIB_RGBA_BIT)
More information about the mesa-commit
mailing list