<div dir="ltr">Ping!</div><div class="gmail_extra"><br><div class="gmail_quote">2016-12-29 18:57 GMT+08:00 Li Qiang <span dir="ltr"><<a href="mailto:liq3ea@gmail.com" target="_blank">liq3ea@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In vrend clear dispatch function, the 'buffers' is read from<br>
guest. A malicious guest can specify a bad 'buffers' to make<br>
a the function call util_format_is_pure_uint() even the<br>
'ctx->sub->surf[i]' is NULL. This can cause a NULL pointer deref.<br>
Make a sanity check to avoid this.<br>
<br>
Signed-off-by: Li Qiang <<a href="mailto:liq3ea@gmail.com">liq3ea@gmail.com</a>><br>
---<br>
 src/vrend_renderer.c | 4 ++--<br>
 1 file changed, 2 insertions(+), 2 deletions(-)<br>
<br>
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c<br>
index 00b61eb..cd8055d 100644<br>
--- a/src/vrend_renderer.c<br>
+++ b/src/vrend_renderer.c<br>
@@ -2354,10 +2354,10 @@ void vrend_clear(struct vrend_context *ctx,<br>
          mask = buffers >> 2;<br>
          while (mask) {<br>
             i = u_bit_scan(&mask);<br>
-            if (util_format_is_pure_uint(ctx-<wbr>>sub->surf[i]->format))<br>
+            if (i < 8 && ctx->sub->surf[i] && util_format_is_pure_uint(ctx-><wbr>sub->surf[i] && ctx->sub->surf[i]->format))<br>
                glClearBufferuiv(GL_COLOR,<br>
                                 i, (GLuint *)color);<br>
-            else if (util_format_is_pure_sint(ctx-<wbr>>sub->surf[i]->format))<br>
+            else if (i < 8 && ctx->sub->surf[i] && util_format_is_pure_sint(ctx-><wbr>sub->surf[i] && ctx->sub->surf[i]->format))<br>
                glClearBufferiv(GL_COLOR,<br>
                                 i, (GLint *)color);<br>
             else<br>
<span class="HOEnZb"><font color="#888888">--<br>
2.7.4<br>
<br>
</font></span></blockquote></div><br></div>