[virglrenderer-devel] [PATCH] renderer: fix heap overflow in vertex elements state create
Li Qiang
liq3ea at gmail.com
Tue Dec 27 09:56:25 UTC 2016
The 'num_elements' can be controlled by the guest but the
'vrend_vertex_element_array' has a fixed 'elements' field.
This can cause a heap overflow. Add sanity check of 'num_elements'.
Signed-off-by: Li Qiang <liq3ea at gmail.com>
---
src/vrend_renderer.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 00b61eb..32e2e7d 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
if (!v)
return ENOMEM;
+ if (num_elements > PIPE_MAX_ATTRIBS)
+ return EINVAL;
+
v->count = num_elements;
for (i = 0; i < num_elements; i++) {
memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));
--
2.7.4
More information about the virglrenderer-devel
mailing list