[Mesa-dev] [PATCH 2/2] glsl: Don't crash on function names with invalid identifiers.
Kenneth Graunke
kenneth at whitecape.org
Sat Nov 12 20:46:43 UTC 2016
Karol Herbst's fuzzing efforts noticed that we would segfault on:
void bug() {
2(0);
}
We just need to bail if the function name isn't an identifier.
Based on a bug fix by Karol Herbst.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97422
Signed-off-by: Kenneth Graunke <kenneth at whitecape.org>
---
src/compiler/glsl/ast_function.cpp | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/compiler/glsl/ast_function.cpp b/src/compiler/glsl/ast_function.cpp
index ac3b52d..3f353a3 100644
--- a/src/compiler/glsl/ast_function.cpp
+++ b/src/compiler/glsl/ast_function.cpp
@@ -2090,7 +2090,7 @@ ast_function_expression::hir(exec_list *instructions,
return handle_method(instructions, state);
} else {
const ast_expression *id = subexpressions[0];
- const char *func_name;
+ const char *func_name = NULL;
YYLTYPE loc = get_location();
exec_list actual_parameters;
ir_variable *sub_var = NULL;
@@ -2104,8 +2104,10 @@ ast_function_expression::hir(exec_list *instructions,
id->subexpressions[0],
id->subexpressions[1], &func_name,
&actual_parameters);
- } else {
+ } else if (id->oper == ast_identifier) {
func_name = id->primary_expression.identifier;
+ } else {
+ _mesa_glsl_error(&loc, state, "function name is not an identifier");
}
/* an error was emitted earlier */
--
2.10.2
More information about the mesa-dev
mailing list