Mesa (main): dri: Check buffer height and avoid overflow

[GitLab Mirror]

Module: Mesa
Branch: main
Commit: c73cc1785a65c54fb8fcec5987f4181d80c5187a
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=c73cc1785a65c54fb8fcec5987f4181d80c5187a

Author: Marek Vasut <marex at denx.de>
Date:   Sun May 15 02:21:37 2022 +0200

dri: Check buffer height and avoid overflow

The dri2_allocate_buffer() can be called with arbitrary height, however
the struct pipe_resource .height0 member is uint16_t. Check height for
maximum size to avoid overflow. Note that .width0 is unsigned int, so
it does not have the same issue.

The uint16 limit comes from commit:
e6428092f5e ("gallium: decrease the size of pipe_resource - 64 -> 48 bytes")

The overflow can be triggered e.g. by requesting large BO:
```
gbm_bo_create(dev, 1, 640*480*4, GBM_FORMAT_R8, GBM_BO_USE_LINEAR);
```

Signed-off-by: Marek Vasut <marex at denx.de>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/16513>

---

 src/gallium/frontends/dri/dri2.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gallium/frontends/dri/dri2.c b/src/gallium/frontends/dri/dri2.c
index cf4e2a5ef3f..c05316b2ad5 100644
--- a/src/gallium/frontends/dri/dri2.c
+++ b/src/gallium/frontends/dri/dri2.c
@@ -304,6 +304,10 @@ dri2_allocate_buffer(__DRIscreen *sPriv,
    unsigned bind = 0;
    struct winsys_handle whandle;
 
+   /* struct pipe_resource height0 is 16-bit, avoid overflow */
+   if (height > 0xffff)
+      return NULL;
+
    switch (attachment) {
       case __DRI_BUFFER_FRONT_LEFT:
       case __DRI_BUFFER_FAKE_FRONT_LEFT: