Overview

File 0004-114688c5-renderer-fix-heap-overflow-in-vertex-elements-state-.patch of Package virglrenderer

From 114688c526fe45f341d75ccd1d85473c3b08f7a7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Tue, 27 Dec 2016 04:56:16 -0500
Subject: [PATCH] renderer: fix heap overflow in vertex elements state
 create
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The 'num_elements' can be controlled by the guest but the
'vrend_vertex_element_array' has a fixed 'elements' field.
This can cause a heap overflow. Add sanity check of 'num_elements'.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Index: virglrenderer-0.5.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-0.5.0.orig/src/vrend_renderer.c
+++ virglrenderer-0.5.0/src/vrend_renderer.c
@@ -1656,6 +1656,9 @@ int vrend_create_vertex_elements_state(s
    if (!v)
       return ENOMEM;
 
+   if (num_elements > PIPE_MAX_ATTRIBS)
+      return EINVAL;
+
    v->count = num_elements;
    for (i = 0; i < num_elements; i++) {
       memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));
openSUSE Build Service is sponsored by
Places