[Mesa-dev] [PATCH 4/4] mesa: Avoid out-of-bounds stack read via _mesa_Materiali
Nicolai Hähnle
nhaehnle at gmail.com
Wed Feb 22 19:04:40 UTC 2017
From: Nicolai Hähnle <nicolai.haehnle at amd.com>
MATERIALFV may end up reading up to 4 floats from the passed parameter.
This should really set a GL_INVALID_ENUM error in the cases where it
matters, but does anybody really care?
Found by ASAN in piglit gl-1.0-beginend-coverage.
---
src/mesa/main/api_loopback.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mesa/main/api_loopback.c b/src/mesa/main/api_loopback.c
index 8b63d9c..1db6ce1 100644
--- a/src/mesa/main/api_loopback.c
+++ b/src/mesa/main/api_loopback.c
@@ -858,21 +858,22 @@ void GLAPIENTRY
_mesa_Materialf( GLenum face, GLenum pname, GLfloat param )
{
GLfloat fparam[4];
fparam[0] = param;
MATERIALFV( face, pname, fparam );
}
void GLAPIENTRY
_mesa_Materiali(GLenum face, GLenum pname, GLint param )
{
- GLfloat p = (GLfloat) param;
+ GLfloat p[4];
+ p[0] = (GLfloat) param;
MATERIALFV(face, pname, &p);
}
void GLAPIENTRY
_mesa_Materialiv(GLenum face, GLenum pname, const GLint *params )
{
GLfloat fparam[4];
switch (pname) {
case GL_AMBIENT:
case GL_DIFFUSE:
--
2.9.3
More information about the mesa-dev
mailing list