Mesa (staging/20.1): mesa: fix out of bounds access in glGetFramebufferParameterivEXT

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Sun Aug 2 18:02:13 UTC 2020 

Module: Mesa
Branch: staging/20.1
Commit: 71e4fd10210730fd93546bd752c82eee1632583b
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=71e4fd10210730fd93546bd752c82eee1632583b

Author: Marcin Ślusarz <marcin.slusarz at intel.com>
Date:   Fri Jul 24 19:19:07 2020 +0200

mesa: fix out of bounds access in glGetFramebufferParameterivEXT

ColorDrawBuffer is an array of MAX_DRAW_BUFFERS == 8.

Found by Coverity.

Signed-off-by: Marcin Ślusarz <marcin.slusarz at intel.com>
Fixes: 7534c536ca0 ("mesa: add EXT_dsa (Named)Framebuffer functions")
Reviewed-by: Marek Olšák <marek.olsak at amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6067>
(cherry picked from commit 0906d5d504eb0209556787b020a6df58b4cc3069)

---

 .pick_status.json        | 2 +-
 src/mesa/main/fbobject.c | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index bb1a00fb0f9..947f53854a7 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -220,7 +220,7 @@
         "description": "mesa: fix out of bounds access in glGetFramebufferParameterivEXT",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "master_sha": null,
         "because_sha": "7534c536ca0f4b2b123200f421460094034f37a3"
     },
diff --git a/src/mesa/main/fbobject.c b/src/mesa/main/fbobject.c
index 298a6b35d0a..e43d07b2b8c 100644
--- a/src/mesa/main/fbobject.c
+++ b/src/mesa/main/fbobject.c
@@ -4814,7 +4814,11 @@ _mesa_GetFramebufferParameterivEXT(GLuint framebuffer, GLenum pname,
          *param = fb->ColorReadBuffer;
       }
       else if (GL_DRAW_BUFFER0 <= pname && pname <= GL_DRAW_BUFFER15) {
-         *param = fb->ColorDrawBuffer[pname - GL_DRAW_BUFFER0];
+         unsigned buffer = pname - GL_DRAW_BUFFER0;
+         if (buffer < ARRAY_SIZE(fb->ColorDrawBuffer))
+            *param = fb->ColorDrawBuffer[buffer];
+         else
+            _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)");
       }
       else {
          _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)");

More information about the mesa-commit mailing list