summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLi Qiang <liq3ea@gmail.com>2016-12-29 05:57:40 -0500
committerDave Airlie <airlied@redhat.com>2017-02-07 15:04:24 +1000
commit48f67f60967f963b698ec8df57ec6912a43d6282 (patch)
treee8de9f9cd1ff27b67794fee224c00794aac24d03
parent93761787b29f37fa627dea9082cdfc1a1ec608d6 (diff)
renderer: fix NULL pointer deref in vrend_clear
In vrend clear dispatch function, the 'buffers' is read from guest. A malicious guest can specify a bad 'buffers' to make a the function call util_format_is_pure_uint() even the 'ctx->sub->surf[i]' is NULL. This can cause a NULL pointer deref. Make a sanity check to avoid this. [airlied: use a define] Signed-off-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r--src/vrend_renderer.c8
-rw-r--r--src/vrend_renderer.h2
2 files changed, 5 insertions, 5 deletions
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 0af91ae..1bca7ad 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -325,7 +325,7 @@ struct vrend_sub_context {
uint32_t fb_id;
int nr_cbufs, old_nr_cbufs;
struct vrend_surface *zsurf;
- struct vrend_surface *surf[8];
+ struct vrend_surface *surf[PIPE_MAX_COLOR_BUFS];
struct vrend_viewport vps[PIPE_MAX_VIEWPORTS];
float depth_transform, depth_scale;
@@ -1482,7 +1482,7 @@ static void vrend_hw_emit_framebuffer_state(struct vrend_context *ctx)
}
void vrend_set_framebuffer_state(struct vrend_context *ctx,
- uint32_t nr_cbufs, uint32_t surf_handle[8],
+ uint32_t nr_cbufs, uint32_t surf_handle[PIPE_MAX_COLOR_BUFS],
uint32_t zsurf_handle)
{
struct vrend_surface *surf, *zsurf;
@@ -2367,10 +2367,10 @@ void vrend_clear(struct vrend_context *ctx,
mask = buffers >> 2;
while (mask) {
i = u_bit_scan(&mask);
- if (util_format_is_pure_uint(ctx->sub->surf[i]->format))
+ if (i < PIPE_MAX_COLOR_BUFS && ctx->sub->surf[i] && util_format_is_pure_uint(ctx->sub->surf[i] && ctx->sub->surf[i]->format))
glClearBufferuiv(GL_COLOR,
i, (GLuint *)color);
- else if (util_format_is_pure_sint(ctx->sub->surf[i]->format))
+ else if (i < PIPE_MAX_COLOR_BUFS && ctx->sub->surf[i] && util_format_is_pure_sint(ctx->sub->surf[i] && ctx->sub->surf[i]->format))
glClearBufferiv(GL_COLOR,
i, (GLint *)color);
else
diff --git a/src/vrend_renderer.h b/src/vrend_renderer.h
index dde7d75..b9eeb71 100644
--- a/src/vrend_renderer.h
+++ b/src/vrend_renderer.h
@@ -127,7 +127,7 @@ void vrend_draw_vbo(struct vrend_context *ctx,
uint32_t cso);
void vrend_set_framebuffer_state(struct vrend_context *ctx,
- uint32_t nr_cbufs, uint32_t surf_handle[8],
+ uint32_t nr_cbufs, uint32_t surf_handle[PIPE_MAX_COLOR_BUFS],
uint32_t zsurf_handle);
struct vrend_context *vrend_create_context(int id, uint32_t nlen, const char *debug_name);