[virglrenderer-devel] [PATCH] renderer: fix heap overflow in vertex elements state create
Li Qiang
liq3ea at gmail.com
Wed Jan 4 02:13:45 UTC 2017
Hello David,
Could you please add this patch and other patches to the upstream?
Thanks.
2016-12-28 1:08 GMT+08:00 Marc-André Lureau <mlureau at redhat.com>:
>
>
> ----- Original Message -----
> > The 'num_elements' can be controlled by the guest but the
> > 'vrend_vertex_element_array' has a fixed 'elements' field.
> > This can cause a heap overflow. Add sanity check of 'num_elements'.
> >
> > Signed-off-by: Li Qiang <liq3ea at gmail.com>
> > ---
>
> Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
>
> > src/vrend_renderer.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
> > index 00b61eb..32e2e7d 100644
> > --- a/src/vrend_renderer.c
> > +++ b/src/vrend_renderer.c
> > @@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(struct
> > vrend_context *ctx,
> > if (!v)
> > return ENOMEM;
> >
> > + if (num_elements > PIPE_MAX_ATTRIBS)
> > + return EINVAL;
> > +
> > v->count = num_elements;
> > for (i = 0; i < num_elements; i++) {
> > memcpy(&v->elements[i].base, &elements[i], sizeof(struct
> > pipe_vertex_element));
> > --
> > 2.7.4
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20170104/ff67ee45/attachment-0001.html>
More information about the virglrenderer-devel
mailing list