diff options
author | Li Qiang <liq3ea@gmail.com> | 2017-01-10 03:56:31 -0500 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2017-01-23 11:38:01 +1000 |
commit | e534b51ca3c3cd25f3990589932a9ed711c59b27 (patch) | |
tree | bd8aa511f802c3584c3be01480c8a954ffc08dcf | |
parent | a5ac49940c40ae415eac0cf912eac7070b4ba95d (diff) |
gallium/tgsi: fix overflow in parse property
In parse_identifier, it doesn't stop copying '*pcur'
untill encounter the NULL. As the 'ret' has a
fixed-size buffer, if the '*pcur' has a long string,
there will be a buffer overflow. This patch avoid this.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r-- | src/gallium/auxiliary/tgsi/tgsi_text.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/gallium/auxiliary/tgsi/tgsi_text.c b/src/gallium/auxiliary/tgsi/tgsi_text.c index bef0d72..b94d204 100644 --- a/src/gallium/auxiliary/tgsi/tgsi_text.c +++ b/src/gallium/auxiliary/tgsi/tgsi_text.c @@ -180,14 +180,17 @@ static boolean parse_int( const char **pcur, int *val ) return FALSE; } -static boolean parse_identifier( const char **pcur, char *ret ) +static boolean parse_identifier( const char **pcur, char *ret, size_t len ) { const char *cur = *pcur; int i = 0; if (is_alpha_underscore( cur )) { ret[i++] = *cur++; - while (is_alpha_underscore( cur ) || is_digit( cur )) + while (is_alpha_underscore( cur ) || is_digit( cur )) { + if (i == len - 1) + return FALSE; ret[i++] = *cur++; + } ret[i++] = '\0'; *pcur = cur; return TRUE; @@ -1590,7 +1593,7 @@ static boolean parse_property( struct translate_ctx *ctx ) report_error( ctx, "Syntax error" ); return FALSE; } - if (!parse_identifier( &ctx->cur, id )) { + if (!parse_identifier( &ctx->cur, id, sizeof(id) )) { report_error( ctx, "Syntax error" ); return FALSE; } |