[virglrenderer-devel] [PATCH] vrend: add sanity check for vertext buffer index
Marc-André Lureau
mlureau at redhat.com
Wed Dec 28 12:24:49 UTC 2016
----- Original Message -----
> The vertext_buffer_index is read from guest and then used
> to index the 'vbo' array in struct 'vrend_sub_context'.
> Add sanity check for this to avoid oob issue.
>
> Signed-off-by: Li Qiang <liq3ea at gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
> ---
> src/vrend_decode.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/vrend_decode.c b/src/vrend_decode.c
> index 09f08ae..cab3956 100644
> --- a/src/vrend_decode.c
> +++ b/src/vrend_decode.c
> @@ -612,6 +612,10 @@ static int vrend_decode_create_ve(struct
> vrend_decode_ctx *ctx, uint32_t handle,
> ve[i].src_offset = get_buf_entry(ctx,
> VIRGL_OBJ_VERTEX_ELEMENTS_V0_SRC_OFFSET(i));
> ve[i].instance_divisor = get_buf_entry(ctx,
> VIRGL_OBJ_VERTEX_ELEMENTS_V0_INSTANCE_DIVISOR(i));
> ve[i].vertex_buffer_index = get_buf_entry(ctx,
> VIRGL_OBJ_VERTEX_ELEMENTS_V0_VERTEX_BUFFER_INDEX(i));
> +
> + if (ve[i].vertex_buffer_index >= PIPE_MAX_ATTRIBS)
> + return EINVAL;
> +
> ve[i].src_format = get_buf_entry(ctx,
> VIRGL_OBJ_VERTEX_ELEMENTS_V0_SRC_FORMAT(i));
> }
> }
> --
> 2.7.4
>
>
More information about the virglrenderer-devel
mailing list