[virglrenderer-devel] [PATCH] renderer: fix NULL pointer deref in vrend_clear
Li Qiang
liq3ea at gmail.com
Wed Jan 4 02:15:55 UTC 2017
Ping!
2016-12-29 18:57 GMT+08:00 Li Qiang <liq3ea at gmail.com>:
> In vrend clear dispatch function, the 'buffers' is read from
> guest. A malicious guest can specify a bad 'buffers' to make
> a the function call util_format_is_pure_uint() even the
> 'ctx->sub->surf[i]' is NULL. This can cause a NULL pointer deref.
> Make a sanity check to avoid this.
>
> Signed-off-by: Li Qiang <liq3ea at gmail.com>
> ---
> src/vrend_renderer.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
> index 00b61eb..cd8055d 100644
> --- a/src/vrend_renderer.c
> +++ b/src/vrend_renderer.c
> @@ -2354,10 +2354,10 @@ void vrend_clear(struct vrend_context *ctx,
> mask = buffers >> 2;
> while (mask) {
> i = u_bit_scan(&mask);
> - if (util_format_is_pure_uint(ctx->sub->surf[i]->format))
> + if (i < 8 && ctx->sub->surf[i] &&
> util_format_is_pure_uint(ctx->sub->surf[i] && ctx->sub->surf[i]->format))
> glClearBufferuiv(GL_COLOR,
> i, (GLuint *)color);
> - else if (util_format_is_pure_sint(ctx->sub->surf[i]->format))
> + else if (i < 8 && ctx->sub->surf[i] &&
> util_format_is_pure_sint(ctx->sub->surf[i] && ctx->sub->surf[i]->format))
> glClearBufferiv(GL_COLOR,
> i, (GLint *)color);
> else
> --
> 2.7.4
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20170104/e68abed6/attachment-0001.html>
More information about the virglrenderer-devel
mailing list