[virglrenderer-devel] [Mesa-dev] [PATCH v3] gallium/tgsi: fix overflow in parse property
Li Qiang
liq3ea at gmail.com
Wed Jan 18 03:25:39 UTC 2017
Hello Dave,
Ping....
2017-01-12 10:18 GMT+08:00 Li Qiang <liq3ea at gmail.com>:
> Hello Dave,
>
> Should I send another patch for virglrenderer?
>
> Thanks.
>
>
> 2017-01-11 22:44 GMT+08:00 Marek Olšák <maraeo at gmail.com>:
>
>> Pushed, thanks.
>>
>> Marek
>>
>> On Tue, Jan 10, 2017 at 9:56 AM, Li Qiang <liq3ea at gmail.com> wrote:
>> > In parse_identifier, it doesn't stop copying '*pcur'
>> > untill encounter the NULL. As the 'ret' has a
>> > fixed-size buffer, if the '*pcur' has a long string,
>> > there will be a buffer overflow. This patch avoid this.
>> >
>> > Signed-off-by: Li Qiang <liq3ea at gmail.com>
>> > ---
>> > src/gallium/auxiliary/tgsi/tgsi_text.c | 9 ++++++---
>> > 1 file changed, 6 insertions(+), 3 deletions(-)
>> >
>> > diff --git a/src/gallium/auxiliary/tgsi/tgsi_text.c
>> b/src/gallium/auxiliary/tgsi/tgsi_text.c
>> > index 1b4f594..308e6b5 100644
>> > --- a/src/gallium/auxiliary/tgsi/tgsi_text.c
>> > +++ b/src/gallium/auxiliary/tgsi/tgsi_text.c
>> > @@ -208,14 +208,17 @@ static boolean parse_int( const char **pcur, int
>> *val )
>> > return FALSE;
>> > }
>> >
>> > -static boolean parse_identifier( const char **pcur, char *ret )
>> > +static boolean parse_identifier( const char **pcur, char *ret, size_t
>> len )
>> > {
>> > const char *cur = *pcur;
>> > int i = 0;
>> > if (is_alpha_underscore( cur )) {
>> > ret[i++] = *cur++;
>> > - while (is_alpha_underscore( cur ) || is_digit( cur ))
>> > + while (is_alpha_underscore( cur ) || is_digit( cur )) {
>> > + if (i == len - 1)
>> > + return FALSE;
>> > ret[i++] = *cur++;
>> > + }
>> > ret[i++] = '\0';
>> > *pcur = cur;
>> > return TRUE;
>> > @@ -1787,7 +1790,7 @@ static boolean parse_property( struct
>> translate_ctx *ctx )
>> > report_error( ctx, "Syntax error" );
>> > return FALSE;
>> > }
>> > - if (!parse_identifier( &ctx->cur, id )) {
>> > + if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
>> > report_error( ctx, "Syntax error" );
>> > return FALSE;
>> > }
>> > --
>> > 2.7.4
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20170118/3323fec6/attachment-0001.html>
More information about the virglrenderer-devel
mailing list