[Mesa-dev] [Bug 106836] Out of bounds array access in FindProcIndex

Wed Jun 6 10:07:22 UTC 2018

https://bugs.freedesktop.org/show_bug.cgi?id=106836

            Bug ID: 106836
           Summary: Out of bounds array access in FindProcIndex
           Product: Mesa
           Version: git
          Hardware: All
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: EGL
          Assignee: mesa-dev at lists.freedesktop.org
          Reporter: yogishk at nvidia.com
        QA Contact: mesa-dev at lists.freedesktop.org

Created attachment 140049
  --> https://bugs.freedesktop.org/attachment.cgi?id=140049&action=edit
Fix out of bounds array access in FindProcIndex

When name passed to FindProcIndex() is not present in array
__EGL_DISPATCH_FUNC_NAMES, "last" can become -1. But since it is declared as
unsigned "while (first <= last)" check will get pass and
_EGL_DISPATCH_FUNC_NAMES[] will be accessed out of the bounds.

When application try to look egl* API using eglGetProcAddress(), glvnd will try
to set dispatch index by calling __eglSetDispatchIndex()for each vendor. When
mesa's __eglSetDispatchIndex() is called and if egl API is not present in
__EGL_DISPATCH_FUNC_NAMES, application will crash.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20180606/6dfbc292/attachment.html>