Overview

File 0005-926b9b34-vrend-fix-a-stack-overflow-in-set-framebuffer-state.patch of Package virglrenderer

From 926b9b3460a48f6454d8bbe9e44313d86a65447f Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Mon, 26 Dec 2016 21:23:44 -0500
Subject: [PATCH] vrend: fix a stack overflow in set framebuffer state

Add the sanity check of the 'nr_cbufs' to avoid stack
overflow.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Index: virglrenderer-0.5.0/src/vrend_decode.c
===================================================================
--- virglrenderer-0.5.0.orig/src/vrend_decode.c
+++ virglrenderer-0.5.0/src/vrend_decode.c
@@ -136,6 +136,10 @@ static int vrend_decode_set_framebuffer_
 
    if (length != (2 + nr_cbufs))
       return EINVAL;
+
+   if (nr_cbufs > 8)
+      return EINVAL;
+
    for (i = 0; i < nr_cbufs; i++)
       surf_handle[i] = get_buf_entry(ctx, VIRGL_SET_FRAMEBUFFER_STATE_CBUF_HANDLE(i));
    vrend_set_framebuffer_state(ctx->grctx, nr_cbufs, surf_handle, zsurf_handle);
openSUSE Build Service is sponsored by
Places