[Mesa-dev] [PATCH 09/25] mesa: Validate count parameters when marshalling.

Timothy Arceri tarceri at itsqueeze.com
Tue Mar 7 06:21:21 UTC 2017 

From: Eric Anholt <eric at anholt.net>

Otherwise, for example, glDeleteBuffers(-1, &bo) gets you a segfault
instead of GL_INVALID_VALUE.
---
 src/mapi/glapi/gen/gl_marshal.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/mapi/glapi/gen/gl_marshal.py b/src/mapi/glapi/gen/gl_marshal.py
index b7e05ac..e4137f4 100644
--- a/src/mapi/glapi/gen/gl_marshal.py
+++ b/src/mapi/glapi/gen/gl_marshal.py
@@ -168,36 +168,51 @@ class PrintCode(gl_XML.gl_print_base):
                     out('const {0} * {1};'.format(
                             p.get_base_type_string(), p.name))
                 out('const char *variable_data = (const char *) (cmd + 1);')
                 for p in func.variable_params:
                     out('{0} = (const {1} *) variable_data;'.format(
                             p.name, p.get_base_type_string()))
                     out('variable_data += {0};'.format(p.size_string(False)))
             self.print_sync_call(func)
         out('}')
 
+    def validate_count_or_return(self, func):
+        # Check that any counts for variable-length arguments might be < 0, in
+        # which case the command alloc or the memcpy would blow up before we
+        # get to the validation in Mesa core.
+        for p in func.parameters:
+            if p.is_variable_length():
+                out('if (unlikely({0} < 0)) {{'.format(p.size_string()))
+                with indent():
+                    out('_mesa_glthread_finish(ctx);')
+                    out('_mesa_error(ctx, GL_INVALID_VALUE, "{0}({1} < 0)");'.format(func.name, p.size_string()))
+                    out('return;')
+                out('}')
+
     def print_async_marshal(self, func):
         out('static void GLAPIENTRY')
         out('_mesa_marshal_{0}({1})'.format(
                 func.name, func.get_parameter_string()))
         out('{')
         with indent():
             out('GET_CURRENT_CONTEXT(ctx);')
             struct = 'struct marshal_cmd_{0}'.format(func.name)
             size_terms = ['sizeof({0})'.format(struct)]
             for p in func.variable_params:
                 size_terms.append(p.size_string())
             out('size_t cmd_size = {0};'.format(' + '.join(size_terms)))
             out('{0} *cmd;'.format(struct))
 
             out('debug_print_marshal("{0}");'.format(func.name))
 
+            self.validate_count_or_return(func)
+
             out('if (cmd_size <= MARSHAL_MAX_CMD_SIZE) {')
             with indent():
                 self.print_async_dispatch(func)
             out('} else {')
             with indent():
                 self.print_sync_dispatch(func)
             out('}')
 
         out('}')
 
-- 
2.9.3

More information about the mesa-dev mailing list