[Mesa-dev] [PATCH 4/4] mesa: Avoid out-of-bounds stack read via _mesa_Materiali
Ian Romanick
idr at freedesktop.org
Thu Feb 23 01:53:25 UTC 2017
On 02/22/2017 11:04 AM, Nicolai Hähnle wrote:
> From: Nicolai Hähnle <nicolai.haehnle at amd.com>
>
> MATERIALFV may end up reading up to 4 floats from the passed parameter.
>
> This should really set a GL_INVALID_ENUM error in the cases where it
> matters, but does anybody really care?
Probably not, but it would be easy enough to fix. Only GL_SHININESS can
have a single value. *shrug* This patch is also
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
> Found by ASAN in piglit gl-1.0-beginend-coverage.
> ---
> src/mesa/main/api_loopback.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/mesa/main/api_loopback.c b/src/mesa/main/api_loopback.c
> index 8b63d9c..1db6ce1 100644
> --- a/src/mesa/main/api_loopback.c
> +++ b/src/mesa/main/api_loopback.c
> @@ -858,21 +858,22 @@ void GLAPIENTRY
> _mesa_Materialf( GLenum face, GLenum pname, GLfloat param )
> {
> GLfloat fparam[4];
> fparam[0] = param;
> MATERIALFV( face, pname, fparam );
> }
>
> void GLAPIENTRY
> _mesa_Materiali(GLenum face, GLenum pname, GLint param )
> {
> - GLfloat p = (GLfloat) param;
> + GLfloat p[4];
> + p[0] = (GLfloat) param;
> MATERIALFV(face, pname, &p);
> }
>
> void GLAPIENTRY
> _mesa_Materialiv(GLenum face, GLenum pname, const GLint *params )
> {
> GLfloat fparam[4];
> switch (pname) {
> case GL_AMBIENT:
> case GL_DIFFUSE:
>
More information about the mesa-dev
mailing list