[Mesa-dev] [PATCH 4/4] mesa: Avoid out-of-bounds stack read via _mesa_Materiali

Edward O'Callaghan funfunctor at folklore1984.net
Wed Feb 22 23:54:59 UTC 2017 

indeed 1, 3 & 4 - good catches,
Reviewed-by: Edward O'Callaghan <funfunctor at folklore1984.net>

On 02/23/2017 07:29 AM, Marek Olšák wrote:
> For 1, 3, 4:
> 
> Reviewed-by: Marek Olšák <marek.olsak at amd.com>
> 
> I need some time to review patch 2 unless someone else beats me to it.
> 
> Marek
> 
> On Wed, Feb 22, 2017 at 8:04 PM, Nicolai Hähnle <nhaehnle at gmail.com> wrote:
>> From: Nicolai Hähnle <nicolai.haehnle at amd.com>
>>
>> MATERIALFV may end up reading up to 4 floats from the passed parameter.
>>
>> This should really set a GL_INVALID_ENUM error in the cases where it
>> matters, but does anybody really care?
>>
>> Found by ASAN in piglit gl-1.0-beginend-coverage.
>> ---
>>  src/mesa/main/api_loopback.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/mesa/main/api_loopback.c b/src/mesa/main/api_loopback.c
>> index 8b63d9c..1db6ce1 100644
>> --- a/src/mesa/main/api_loopback.c
>> +++ b/src/mesa/main/api_loopback.c
>> @@ -858,21 +858,22 @@ void GLAPIENTRY
>>  _mesa_Materialf( GLenum face, GLenum pname, GLfloat param )
>>  {
>>     GLfloat fparam[4];
>>     fparam[0] = param;
>>     MATERIALFV( face, pname, fparam );
>>  }
>>
>>  void GLAPIENTRY
>>  _mesa_Materiali(GLenum face, GLenum pname, GLint param )
>>  {
>> -   GLfloat p = (GLfloat) param;
>> +   GLfloat p[4];
>> +   p[0] = (GLfloat) param;
>>     MATERIALFV(face, pname, &p);
>>  }
>>
>>  void GLAPIENTRY
>>  _mesa_Materialiv(GLenum face, GLenum pname, const GLint *params )
>>  {
>>     GLfloat fparam[4];
>>     switch (pname) {
>>     case GL_AMBIENT:
>>     case GL_DIFFUSE:
>> --
>> 2.9.3
>>
>> _______________________________________________
>> mesa-dev mailing list
>> mesa-dev at lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20170223/6fcf5f73/attachment-0001.sig>

More information about the mesa-dev mailing list