[Mesa-dev] [PATCH 4/4] mesa: Avoid out-of-bounds stack read via _mesa_Materiali
Marek Olšák
maraeo at gmail.com
Wed Feb 22 20:29:54 UTC 2017
For 1, 3, 4:
Reviewed-by: Marek Olšák <marek.olsak at amd.com>
I need some time to review patch 2 unless someone else beats me to it.
Marek
On Wed, Feb 22, 2017 at 8:04 PM, Nicolai Hähnle <nhaehnle at gmail.com> wrote:
> From: Nicolai Hähnle <nicolai.haehnle at amd.com>
>
> MATERIALFV may end up reading up to 4 floats from the passed parameter.
>
> This should really set a GL_INVALID_ENUM error in the cases where it
> matters, but does anybody really care?
>
> Found by ASAN in piglit gl-1.0-beginend-coverage.
> ---
> src/mesa/main/api_loopback.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/mesa/main/api_loopback.c b/src/mesa/main/api_loopback.c
> index 8b63d9c..1db6ce1 100644
> --- a/src/mesa/main/api_loopback.c
> +++ b/src/mesa/main/api_loopback.c
> @@ -858,21 +858,22 @@ void GLAPIENTRY
> _mesa_Materialf( GLenum face, GLenum pname, GLfloat param )
> {
> GLfloat fparam[4];
> fparam[0] = param;
> MATERIALFV( face, pname, fparam );
> }
>
> void GLAPIENTRY
> _mesa_Materiali(GLenum face, GLenum pname, GLint param )
> {
> - GLfloat p = (GLfloat) param;
> + GLfloat p[4];
> + p[0] = (GLfloat) param;
> MATERIALFV(face, pname, &p);
> }
>
> void GLAPIENTRY
> _mesa_Materialiv(GLenum face, GLenum pname, const GLint *params )
> {
> GLfloat fparam[4];
> switch (pname) {
> case GL_AMBIENT:
> case GL_DIFFUSE:
> --
> 2.9.3
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
More information about the mesa-dev
mailing list