[virglrenderer-devel] [PATCH] vrend_render: fix decode edge cases.

Dave Airlie airlied at gmail.com
Mon Jul 9 22:25:48 UTC 2018


On 21 June 2018 at 09:56, Po-Hsien Wang <pwang at chromium.org> wrote:
> ---
>  src/vrend_decode.c   | 3 ++-
>  src/vrend_renderer.c | 3 ++-
>  2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/vrend_decode.c b/src/vrend_decode.c
> index d50f385..8793668 100644
> --- a/src/vrend_decode.c
> +++ b/src/vrend_decode.c
> @@ -295,7 +295,8 @@ static int vrend_decode_set_sampler_views(struct vrend_decode_ctx *ctx, uint16_t
>        return EINVAL;
>
>     if (num_samps > PIPE_MAX_SHADER_SAMPLER_VIEWS ||
> -       start_slot > (PIPE_MAX_SHADER_SAMPLER_VIEWS - num_samps))
> +       start_slot > (PIPE_MAX_SHADER_SAMPLER_VIEWS - num_samps) ||
> +       start_slot < 0)
>        return EINVAL;

I've sent a better fix for this, please review it.
https://patchwork.freedesktop.org/series/46222/

>        view = vrend_object_lookup(ctx->sub->object_hash, handle, VIRGL_OBJECT_SAMPLER_VIEW);
>        if (!view) {
> -         ctx->sub->views[shader_type].views[index] = NULL;
> +         if (index < ctx->sub->views[shader_type].num_views)
> +            ctx->sub->views[shader_type].views[index] = NULL;

Why is this necessary, we've already confirmed the index should be
within the bounds of the
memory allocated, avoiding a NULL write to somewhere doesn't really
save us anything
or make it more secure.

Dave.


More information about the virglrenderer-devel mailing list