[virglrenderer-devel] [PATCH] vrend_render: fix decode edge cases.
Dave Airlie
airlied at gmail.com
Mon Jul 9 22:25:48 UTC 2018
On 21 June 2018 at 09:56, Po-Hsien Wang <pwang at chromium.org> wrote:
> ---
> src/vrend_decode.c | 3 ++-
> src/vrend_renderer.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/vrend_decode.c b/src/vrend_decode.c
> index d50f385..8793668 100644
> --- a/src/vrend_decode.c
> +++ b/src/vrend_decode.c
> @@ -295,7 +295,8 @@ static int vrend_decode_set_sampler_views(struct vrend_decode_ctx *ctx, uint16_t
> return EINVAL;
>
> if (num_samps > PIPE_MAX_SHADER_SAMPLER_VIEWS ||
> - start_slot > (PIPE_MAX_SHADER_SAMPLER_VIEWS - num_samps))
> + start_slot > (PIPE_MAX_SHADER_SAMPLER_VIEWS - num_samps) ||
> + start_slot < 0)
> return EINVAL;
I've sent a better fix for this, please review it.
https://patchwork.freedesktop.org/series/46222/
> view = vrend_object_lookup(ctx->sub->object_hash, handle, VIRGL_OBJECT_SAMPLER_VIEW);
> if (!view) {
> - ctx->sub->views[shader_type].views[index] = NULL;
> + if (index < ctx->sub->views[shader_type].num_views)
> + ctx->sub->views[shader_type].views[index] = NULL;
Why is this necessary, we've already confirmed the index should be
within the bounds of the
memory allocated, avoiding a NULL write to somewhere doesn't really
save us anything
or make it more secure.
Dave.
More information about the virglrenderer-devel
mailing list