[Mesa-dev] [PATCH v3] gallium/tgsi: fix overflow in parse property
Marek Olšák
maraeo at gmail.com
Wed Jan 11 14:44:50 UTC 2017
Pushed, thanks.
Marek
On Tue, Jan 10, 2017 at 9:56 AM, Li Qiang <liq3ea at gmail.com> wrote:
> In parse_identifier, it doesn't stop copying '*pcur'
> untill encounter the NULL. As the 'ret' has a
> fixed-size buffer, if the '*pcur' has a long string,
> there will be a buffer overflow. This patch avoid this.
>
> Signed-off-by: Li Qiang <liq3ea at gmail.com>
> ---
> src/gallium/auxiliary/tgsi/tgsi_text.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/src/gallium/auxiliary/tgsi/tgsi_text.c b/src/gallium/auxiliary/tgsi/tgsi_text.c
> index 1b4f594..308e6b5 100644
> --- a/src/gallium/auxiliary/tgsi/tgsi_text.c
> +++ b/src/gallium/auxiliary/tgsi/tgsi_text.c
> @@ -208,14 +208,17 @@ static boolean parse_int( const char **pcur, int *val )
> return FALSE;
> }
>
> -static boolean parse_identifier( const char **pcur, char *ret )
> +static boolean parse_identifier( const char **pcur, char *ret, size_t len )
> {
> const char *cur = *pcur;
> int i = 0;
> if (is_alpha_underscore( cur )) {
> ret[i++] = *cur++;
> - while (is_alpha_underscore( cur ) || is_digit( cur ))
> + while (is_alpha_underscore( cur ) || is_digit( cur )) {
> + if (i == len - 1)
> + return FALSE;
> ret[i++] = *cur++;
> + }
> ret[i++] = '\0';
> *pcur = cur;
> return TRUE;
> @@ -1787,7 +1790,7 @@ static boolean parse_property( struct translate_ctx *ctx )
> report_error( ctx, "Syntax error" );
> return FALSE;
> }
> - if (!parse_identifier( &ctx->cur, id )) {
> + if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
> report_error( ctx, "Syntax error" );
> return FALSE;
> }
> --
> 2.7.4
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
More information about the mesa-dev
mailing list