[virglrenderer-devel] [PATCH] renderer: fix heap overflow in vertex elements state create
Marc-André Lureau
mlureau at redhat.com
Tue Dec 27 17:08:10 UTC 2016
----- Original Message -----
> The 'num_elements' can be controlled by the guest but the
> 'vrend_vertex_element_array' has a fixed 'elements' field.
> This can cause a heap overflow. Add sanity check of 'num_elements'.
>
> Signed-off-by: Li Qiang <liq3ea at gmail.com>
> ---
Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
> src/vrend_renderer.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
> index 00b61eb..32e2e7d 100644
> --- a/src/vrend_renderer.c
> +++ b/src/vrend_renderer.c
> @@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(struct
> vrend_context *ctx,
> if (!v)
> return ENOMEM;
>
> + if (num_elements > PIPE_MAX_ATTRIBS)
> + return EINVAL;
> +
> v->count = num_elements;
> for (i = 0; i < num_elements; i++) {
> memcpy(&v->elements[i].base, &elements[i], sizeof(struct
> pipe_vertex_element));
> --
> 2.7.4
>
>
More information about the virglrenderer-devel
mailing list