[virglrenderer-devel] [Mesa-dev] [PATCH v3] gallium/tgsi: fix overflow in parse property

Li Qiang liq3ea at gmail.com
Thu Jan 12 02:18:36 UTC 2017


Hello Dave,

Should I send another patch for virglrenderer?

Thanks.

2017-01-11 22:44 GMT+08:00 Marek Olšák <maraeo at gmail.com>:

> Pushed, thanks.
>
> Marek
>
> On Tue, Jan 10, 2017 at 9:56 AM, Li Qiang <liq3ea at gmail.com> wrote:
> > In parse_identifier, it doesn't stop copying '*pcur'
> > untill encounter the NULL. As the 'ret' has a
> > fixed-size buffer, if the '*pcur' has a long string,
> > there will be a buffer overflow. This patch avoid this.
> >
> > Signed-off-by: Li Qiang <liq3ea at gmail.com>
> > ---
> >  src/gallium/auxiliary/tgsi/tgsi_text.c | 9 ++++++---
> >  1 file changed, 6 insertions(+), 3 deletions(-)
> >
> > diff --git a/src/gallium/auxiliary/tgsi/tgsi_text.c
> b/src/gallium/auxiliary/tgsi/tgsi_text.c
> > index 1b4f594..308e6b5 100644
> > --- a/src/gallium/auxiliary/tgsi/tgsi_text.c
> > +++ b/src/gallium/auxiliary/tgsi/tgsi_text.c
> > @@ -208,14 +208,17 @@ static boolean parse_int( const char **pcur, int
> *val )
> >     return FALSE;
> >  }
> >
> > -static boolean parse_identifier( const char **pcur, char *ret )
> > +static boolean parse_identifier( const char **pcur, char *ret, size_t
> len )
> >  {
> >     const char *cur = *pcur;
> >     int i = 0;
> >     if (is_alpha_underscore( cur )) {
> >        ret[i++] = *cur++;
> > -      while (is_alpha_underscore( cur ) || is_digit( cur ))
> > +      while (is_alpha_underscore( cur ) || is_digit( cur )) {
> > +         if (i == len - 1)
> > +            return FALSE;
> >           ret[i++] = *cur++;
> > +      }
> >        ret[i++] = '\0';
> >        *pcur = cur;
> >        return TRUE;
> > @@ -1787,7 +1790,7 @@ static boolean parse_property( struct
> translate_ctx *ctx )
> >        report_error( ctx, "Syntax error" );
> >        return FALSE;
> >     }
> > -   if (!parse_identifier( &ctx->cur, id )) {
> > +   if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
> >        report_error( ctx, "Syntax error" );
> >        return FALSE;
> >     }
> > --
> > 2.7.4
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20170112/5663b033/attachment.html>


More information about the virglrenderer-devel mailing list