diff options
| author | Eric Anholt <eric@anholt.net> | 2013-01-03 11:56:54 -0800 |
|---|---|---|
| committer | Timothy Arceri <tarceri@itsqueeze.com> | 2017-03-16 14:14:18 +1100 |
| commit | a76a3cf664f93ca8a0a62281907a3f3342f44054 (patch) | |
| tree | 493c434398eadec321d4e7d245cfe1df57ece81d /src/mapi | |
| parent | 05dd4a1104ea815e4627bab0fbd35d9abe49f024 (diff) | |
mesa: Validate count parameters when marshalling.
Otherwise, for example, glDeleteBuffers(-1, &bo) gets you a segfault
instead of GL_INVALID_VALUE.
Acked-by: Timothy Arceri <tarceri@itsqueeze.com>
Acked-by: Marek Olšák <maraeo@gmail.com>
Tested-by: Dieter Nützel <Dieter@nuetzel-hh.de>
Tested-by: Mike Lothian <mike@fireburn.co.uk>
Diffstat (limited to 'src/mapi')
| -rw-r--r-- | src/mapi/glapi/gen/gl_marshal.py | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/src/mapi/glapi/gen/gl_marshal.py b/src/mapi/glapi/gen/gl_marshal.py index b7e05acb133..e4137f46abe 100644 --- a/src/mapi/glapi/gen/gl_marshal.py +++ b/src/mapi/glapi/gen/gl_marshal.py @@ -175,6 +175,19 @@ class PrintCode(gl_XML.gl_print_base): self.print_sync_call(func) out('}') + def validate_count_or_return(self, func): + # Check that any counts for variable-length arguments might be < 0, in + # which case the command alloc or the memcpy would blow up before we + # get to the validation in Mesa core. + for p in func.parameters: + if p.is_variable_length(): + out('if (unlikely({0} < 0)) {{'.format(p.size_string())) + with indent(): + out('_mesa_glthread_finish(ctx);') + out('_mesa_error(ctx, GL_INVALID_VALUE, "{0}({1} < 0)");'.format(func.name, p.size_string())) + out('return;') + out('}') + def print_async_marshal(self, func): out('static void GLAPIENTRY') out('_mesa_marshal_{0}({1})'.format( @@ -191,6 +204,8 @@ class PrintCode(gl_XML.gl_print_base): out('debug_print_marshal("{0}");'.format(func.name)) + self.validate_count_or_return(func) + out('if (cmd_size <= MARSHAL_MAX_CMD_SIZE) {') with indent(): self.print_async_dispatch(func) |