[Mesa-stable] [PATCH 01/13] egl/dri: Avoid out of bounds array access
Kevin Strasser
kevin.strasser at intel.com
Mon Jan 28 18:42:44 UTC 2019
indexConfigAttrib iterates over every index in the dri driver, possibly
exceeding __DRI_ATTRIB_MAX. In other words, if the dri driver has newer
attributes libEGL will end up reading from uninitialized memory through
dri2_to_egl_attribute_map[].
Signed-off-by: Kevin Strasser <kevin.strasser at intel.com>
Cc: mesa-stable at lists.freedesktop.org
---
src/egl/drivers/dri2/egl_dri2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/egl/drivers/dri2/egl_dri2.c b/src/egl/drivers/dri2/egl_dri2.c
index 892e32d..f7ce06f 100644
--- a/src/egl/drivers/dri2/egl_dri2.c
+++ b/src/egl/drivers/dri2/egl_dri2.c
@@ -199,8 +199,10 @@ dri2_add_config(_EGLDisplay *disp, const __DRIconfig *dri_config, int id,
bind_to_texture_rgb = 0;
bind_to_texture_rgba = 0;
- for (int i = 0; dri2_dpy->core->indexConfigAttrib(dri_config, i, &attrib,
- &value); ++i) {
+ for (int i = 0; i < __DRI_ATTRIB_MAX; ++i) {
+ if (!dri2_dpy->core->indexConfigAttrib(dri_config, i, &attrib, &value))
+ break;
+
switch (attrib) {
case __DRI_ATTRIB_RENDER_TYPE:
if (value & __DRI_ATTRIB_RGBA_BIT)
--
2.7.4
More information about the mesa-stable
mailing list