File 0009-e534b51c-gallium-tgsi-fix-overflow-in-parse-property.patch of Package virglrenderer

From e534b51ca3c3cd25f3990589932a9ed711c59b27 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Tue, 10 Jan 2017 03:56:31 -0500
Subject: [PATCH] gallium/tgsi: fix overflow in parse property
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In parse_identifier, it doesn't stop copying '*pcur'
untill encounter the NULL. As the 'ret' has a
fixed-size buffer, if the '*pcur' has a long string,
there will be a buffer overflow. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Index: virglrenderer-0.5.0/src/gallium/auxiliary/tgsi/tgsi_text.c
===================================================================
--- virglrenderer-0.5.0.orig/src/gallium/auxiliary/tgsi/tgsi_text.c
+++ virglrenderer-0.5.0/src/gallium/auxiliary/tgsi/tgsi_text.c
@@ -180,14 +180,17 @@ static boolean parse_int( const char **p
    return FALSE;
 }
 
-static boolean parse_identifier( const char **pcur, char *ret )
+static boolean parse_identifier( const char **pcur, char *ret, size_t len )
 {
    const char *cur = *pcur;
    int i = 0;
    if (is_alpha_underscore( cur )) {
       ret[i++] = *cur++;
-      while (is_alpha_underscore( cur ) || is_digit( cur ))
+      while (is_alpha_underscore( cur ) || is_digit( cur )) {
+         if (i == len - 1)
+            return FALSE;
          ret[i++] = *cur++;
+      }
       ret[i++] = '\0';
       *pcur = cur;
       return TRUE;
@@ -1590,7 +1593,7 @@ static boolean parse_property( struct tr
       report_error( ctx, "Syntax error" );
       return FALSE;
    }
-   if (!parse_identifier( &ctx->cur, id )) {
+   if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
       report_error( ctx, "Syntax error" );
       return FALSE;
    }