summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLi Qiang <liq3ea@gmail.com>2017-01-07 06:21:09 -0500
committerDave Airlie <airlied@redhat.com>2017-02-07 14:57:49 +1000
commit93761787b29f37fa627dea9082cdfc1a1ec608d6 (patch)
treea8e25ee490a32e81cdeee073957b95b538126eee
parenta2f12a1b0f95b13b6f8dc3d05d7b74b4386394e4 (diff)
renderer: fix integer overflow in create shader
As the 'pkt_length' and 'offlen' can be malicious from guest, the vrend_create_shader function has an integer overflow, this will make the next 'memcpy' oob access. This patch avoid this. Signed-off-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r--src/vrend_renderer.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index ad68f71..0af91ae 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -2215,6 +2215,15 @@ int vrend_create_shader(struct vrend_context *ctx,
ret = EINVAL;
goto error;
}
+
+ /*make sure no overflow */
+ if (pkt_length * 4 < pkt_length ||
+ pkt_length * 4 + sel->buf_offset < pkt_length * 4 ||
+ pkt_length * 4 + sel->buf_offset < sel->buf_offset) {
+ ret = EINVAL;
+ goto error;
+ }
+
if ((pkt_length * 4 + sel->buf_offset) > sel->buf_len) {
fprintf(stderr, "Got too large shader continuation %d vs %d\n",
pkt_length * 4 + sel->buf_offset, sel->buf_len);