summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLi Qiang <liq3ea@gmail.com>2016-12-27 04:56:16 -0500
committerDave Airlie <airlied@redhat.com>2017-02-07 14:55:36 +1000
commit114688c526fe45f341d75ccd1d85473c3b08f7a7 (patch)
treea44d5deb05d978f71b45824d4472f8a37a3f336f
parent28894a30a17a84529be102b21118e55d6c9f23fa (diff)
renderer: fix heap overflow in vertex elements state create
The 'num_elements' can be controlled by the guest but the 'vrend_vertex_element_array' has a fixed 'elements' field. This can cause a heap overflow. Add sanity check of 'num_elements'. Signed-off-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat
-rw-r--r--src/vrend_renderer.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 00b61eb..32e2e7d 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
if (!v)
return ENOMEM;
+ if (num_elements > PIPE_MAX_ATTRIBS)
+ return EINVAL;
+
v->count = num_elements;
for (i = 0; i < num_elements; i++) {
memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-27 22:59:43 +0000