[virglrenderer-devel] [PATCH] Fix create_shader buf boundary check
Po-Hsien Wang
pwang at chromium.org
Fri Jul 20 22:01:04 UTC 2018
Adding check for the length of the buf to avoid buffer overflow attack.
---
src/vrend_decode.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index 2432938..09205d9 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -73,7 +73,7 @@ static int vrend_decode_create_shader(struct vrend_decode_ctx *ctx,
uint8_t *shd_text;
uint32_t type;
- if (length < 5)
+ if (length < VIRGL_OBJ_SHADER_HDR_SIZE(0))
return EINVAL;
type = get_buf_entry(ctx, VIRGL_OBJ_SHADER_TYPE);
@@ -81,6 +81,8 @@ static int vrend_decode_create_shader(struct vrend_decode_ctx *ctx,
offlen = get_buf_entry(ctx, VIRGL_OBJ_SHADER_OFFSET);
num_so_outputs = get_buf_entry(ctx, VIRGL_OBJ_SHADER_SO_NUM_OUTPUTS);
+ if (length < VIRGL_OBJ_SHADER_HDR_SIZE(num_so_outputs))
+ return EINVAL;
if (num_so_outputs > PIPE_MAX_SO_OUTPUTS)
return EINVAL;
--
2.18.0.233.g985f88cf7e-goog
More information about the virglrenderer-devel
mailing list