summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLi Qiang <liq3ea@gmail.com>2016-12-26 21:23:44 -0500
committerDave Airlie <airlied@redhat.com>2016-12-27 15:55:21 +1000
commit926b9b3460a48f6454d8bbe9e44313d86a65447f (patch)
treec64dfb5c88c0a1e98462f06a251d4bbe70cad623
parent747a293ff6055203e529f083896b823e22523fe7 (diff)
vrend: fix a stack overflow in set framebuffer state
Add the sanity check of the 'nr_cbufs' to avoid stack overflow. Signed-off-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat
-rw-r--r--src/vrend_decode.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index ede7280..09f08ae 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -136,6 +136,10 @@ static int vrend_decode_set_framebuffer_state(struct vrend_decode_ctx *ctx, int
if (length != (2 + nr_cbufs))
return EINVAL;
+
+ if (nr_cbufs > 8)
+ return EINVAL;
+
for (i = 0; i < nr_cbufs; i++)
surf_handle[i] = get_buf_entry(ctx, VIRGL_SET_FRAMEBUFFER_STATE_CBUF_HANDLE(i));
vrend_set_framebuffer_state(ctx->grctx, nr_cbufs, surf_handle, zsurf_handle);
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-27 00:53:27 +0000