[Mesa-dev] [PATCH] egl: use unsigned int index when iterating over attrib_list

Emil Velikov emil.l.velikov at gmail.com
Tue Sep 27 15:52:19 UTC 2016


On 27 September 2016 at 16:18, Eric Engestrom <eric.engestrom at imgtec.com> wrote:
> On Tue, Sep 27, 2016 at 04:10:53PM +0200, Nicolai Hähnle wrote:
>> On 27.09.2016 14:40, Emil Velikov wrote:
>> > From: Emil Velikov <emil.velikov at collabora.com>
>> >
>> > Otherwise one can overflow the signed variable and (attempt to) cause
>> > all sorts of strange behaviour.
>>
>> As long as we're worrying about such things, shouldn't it really be a size_t
>> then? With that,
>
> Agreed, and you can also have my r-b.
>
> One question though: why these specific `i`s? There are plenty more `i`s
> (in these files) that could use the same treatment, not to mention other
> variables.
> It's not as if these are the most overflow-critical either: I'm pretty
> sure if we have >INT_MAX attributes, we have more pressing problems than
> overflowing the attrib counter :P
The gripe is about (possible) intentional abuse of the attrib_list,
using which one can use to read/modify the stack*. Nobody in their
right might is (should be) using more than UINT_MAX attributes, so
size_t won't bring much. But if you insist...

I've went ahead with a simple grep for EGL_NONE although one could
expand things throughout egl (and mesa as a whole). Feel free to
pursue :-)

-Emil
* Haven't bothered coming up with specific attack and I'm not 100%
sure it's possible in all the cases.


More information about the mesa-dev mailing list