Overview

File 0007-a5ac4994-vrend-add-sanity-check-for-vertext-buffer-index.patch of Package virglrenderer

From a5ac49940c40ae415eac0cf912eac7070b4ba95d Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Wed, 28 Dec 2016 06:58:43 -0500
Subject: [PATCH] vrend: add sanity check for vertext buffer index
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The vertext_buffer_index is read from guest and then used
to index the 'vbo' array in struct 'vrend_sub_context'.
Add sanity check for this to avoid oob issue.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Index: virglrenderer-0.5.0/src/vrend_decode.c
===================================================================
--- virglrenderer-0.5.0.orig/src/vrend_decode.c
+++ virglrenderer-0.5.0/src/vrend_decode.c
@@ -612,6 +612,10 @@ static int vrend_decode_create_ve(struct
          ve[i].src_offset = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_SRC_OFFSET(i));
          ve[i].instance_divisor = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_INSTANCE_DIVISOR(i));
          ve[i].vertex_buffer_index = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_VERTEX_BUFFER_INDEX(i));
+
+         if (ve[i].vertex_buffer_index >= PIPE_MAX_ATTRIBS)
+            return EINVAL;
+
          ve[i].src_format = get_buf_entry(ctx, VIRGL_OBJ_VERTEX_ELEMENTS_V0_SRC_FORMAT(i));
       }
    }
openSUSE Build Service is sponsored by
Places