[virglrenderer-devel] [PATCH v2] gallium/tgsi: fix overflow in parse property

Marc-André Lureau mlureau at redhat.com
Mon Jan 9 12:36:22 UTC 2017


Hi

----- Original Message -----
> In parse_identifier, it doesn't stop copying '*pcur'
> untill encounter the NULL. As the 'ret' has a fixed-size
> buffer, if the '*pcur' has a long string, there will be
> a buffer overflow. This patch avoid this.
> 
> Signed-off-by: Li Qiang <liq3ea at gmail.com>
> ---
>  src/gallium/auxiliary/tgsi/tgsi_text.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/src/gallium/auxiliary/tgsi/tgsi_text.c
> b/src/gallium/auxiliary/tgsi/tgsi_text.c
> index 1b4f594..599cd99 100644
> --- a/src/gallium/auxiliary/tgsi/tgsi_text.c
> +++ b/src/gallium/auxiliary/tgsi/tgsi_text.c
> @@ -208,14 +208,17 @@ static boolean parse_int( const char **pcur, int *val )
>     return FALSE;
>  }
>  
> -static boolean parse_identifier( const char **pcur, char *ret )
> +static boolean parse_identifier( const char **pcur, char *ret, size_t len )
>  {
>     const char *cur = *pcur;
>     int i = 0;
>     if (is_alpha_underscore( cur )) {
>        ret[i++] = *cur++;
> -      while (is_alpha_underscore( cur ) || is_digit( cur ))
> +      while (is_alpha_underscore( cur ) || is_digit( cur )) {
> +         if ( i >= len - 1 )
> +            return FALSE;

i > len - 1 (two more characters may be appended), or even i == len - 1.

>           ret[i++] = *cur++;
> +      }
>        ret[i++] = '\0';
>        *pcur = cur;
>        return TRUE;
> @@ -1787,7 +1790,7 @@ static boolean parse_property( struct translate_ctx
> *ctx )
>        report_error( ctx, "Syntax error" );
>        return FALSE;
>     }
> -   if (!parse_identifier( &ctx->cur, id )) {
> +   if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
>        report_error( ctx, "Syntax error" );
>        return FALSE;
>     }
> --
> 2.7.4
> 
> 


More information about the virglrenderer-devel mailing list