Mesa (main): dri: Check buffer height and avoid overflow
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Sat Jul 9 22:27:47 UTC 2022
Module: Mesa
Branch: main
Commit: c73cc1785a65c54fb8fcec5987f4181d80c5187a
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=c73cc1785a65c54fb8fcec5987f4181d80c5187a
Author: Marek Vasut <marex at denx.de>
Date: Sun May 15 02:21:37 2022 +0200
dri: Check buffer height and avoid overflow
The dri2_allocate_buffer() can be called with arbitrary height, however
the struct pipe_resource .height0 member is uint16_t. Check height for
maximum size to avoid overflow. Note that .width0 is unsigned int, so
it does not have the same issue.
The uint16 limit comes from commit:
e6428092f5e ("gallium: decrease the size of pipe_resource - 64 -> 48 bytes")
The overflow can be triggered e.g. by requesting large BO:
```
gbm_bo_create(dev, 1, 640*480*4, GBM_FORMAT_R8, GBM_BO_USE_LINEAR);
```
Signed-off-by: Marek Vasut <marex at denx.de>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/16513>
---
src/gallium/frontends/dri/dri2.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/gallium/frontends/dri/dri2.c b/src/gallium/frontends/dri/dri2.c
index cf4e2a5ef3f..c05316b2ad5 100644
--- a/src/gallium/frontends/dri/dri2.c
+++ b/src/gallium/frontends/dri/dri2.c
@@ -304,6 +304,10 @@ dri2_allocate_buffer(__DRIscreen *sPriv,
unsigned bind = 0;
struct winsys_handle whandle;
+ /* struct pipe_resource height0 is 16-bit, avoid overflow */
+ if (height > 0xffff)
+ return NULL;
+
switch (attachment) {
case __DRI_BUFFER_FRONT_LEFT:
case __DRI_BUFFER_FAKE_FRONT_LEFT:
More information about the mesa-commit
mailing list