[virglrenderer-devel] [PATCH] renderer: fix heap overflow in vertex elements state create
David Airlie
airlied at redhat.com
Wed Jan 4 19:44:02 UTC 2017
I'm probably not in a position to handle this until Jan 25th or so, I might get to it next week, but I've got a lot to do
and I'm on holidays or attending conferences.
Dave.
----- Original Message -----
> From: "Li Qiang" <liq3ea at gmail.com>
> To: "Marc-André Lureau" <mlureau at redhat.com>
> Cc: virglrenderer-devel at lists.freedesktop.org, airlied at redhat.com, "marcandre lureau" <marcandre.lureau at redhat.com>,
> "Li Qiang" <liqiang6-s at 360.cn>
> Sent: Wednesday, 4 January, 2017 12:13:43 PM
> Subject: Re: [PATCH] renderer: fix heap overflow in vertex elements state create
>
> Hello David,
>
> Could you please add this patch and other patches to the upstream?
>
> Thanks.
>
> 2016-12-28 1:08 GMT+08:00 Marc-André Lureau <mlureau at redhat.com>:
>
> >
> >
> > ----- Original Message -----
> > > The 'num_elements' can be controlled by the guest but the
> > > 'vrend_vertex_element_array' has a fixed 'elements' field.
> > > This can cause a heap overflow. Add sanity check of 'num_elements'.
> > >
> > > Signed-off-by: Li Qiang <liq3ea at gmail.com>
> > > ---
> >
> > Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
> >
> > > src/vrend_renderer.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
> > > index 00b61eb..32e2e7d 100644
> > > --- a/src/vrend_renderer.c
> > > +++ b/src/vrend_renderer.c
> > > @@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(struct
> > > vrend_context *ctx,
> > > if (!v)
> > > return ENOMEM;
> > >
> > > + if (num_elements > PIPE_MAX_ATTRIBS)
> > > + return EINVAL;
> > > +
> > > v->count = num_elements;
> > > for (i = 0; i < num_elements; i++) {
> > > memcpy(&v->elements[i].base, &elements[i], sizeof(struct
> > > pipe_vertex_element));
> > > --
> > > 2.7.4
> > >
> > >
> >
>
More information about the virglrenderer-devel
mailing list