File 0001-48f67f60-renderer-fix-NULL-pointer-deref-i... of Package virglrenderer

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch of Package virglrenderer

From 48f67f60967f963b698ec8df57ec6912a43d6282 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Thu, 29 Dec 2016 05:57:40 -0500
Subject: [PATCH] renderer: fix NULL pointer deref in vrend_clear

In vrend clear dispatch function, the 'buffers' is read from
guest. A malicious guest can specify a bad 'buffers' to make
a the function call util_format_is_pure_uint() even the
'ctx->sub->surf[i]' is NULL. This can cause a NULL pointer deref.
Make a sanity check to avoid this.

[airlied: use a define]

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Index: virglrenderer-0.5.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-0.5.0.orig/src/vrend_renderer.c
+++ virglrenderer-0.5.0/src/vrend_renderer.c
@@ -325,7 +325,7 @@ struct vrend_sub_context {
    uint32_t fb_id;
    int nr_cbufs, old_nr_cbufs;
    struct vrend_surface *zsurf;
-   struct vrend_surface *surf[8];
+   struct vrend_surface *surf[PIPE_MAX_COLOR_BUFS];
 
    struct vrend_viewport vps[PIPE_MAX_VIEWPORTS];
    float depth_transform, depth_scale;
@@ -1481,7 +1481,7 @@ static void vrend_hw_emit_framebuffer_st
 }
 
 void vrend_set_framebuffer_state(struct vrend_context *ctx,
-                                 uint32_t nr_cbufs, uint32_t surf_handle[8],
+                                 uint32_t nr_cbufs, uint32_t surf_handle[PIPE_MAX_COLOR_BUFS],
                                  uint32_t zsurf_handle)
 {
    struct vrend_surface *surf, *zsurf;
@@ -2354,10 +2354,10 @@ void vrend_clear(struct vrend_context *c
          mask = buffers >> 2;
          while (mask) {
             i = u_bit_scan(&mask);
-            if (util_format_is_pure_uint(ctx->sub->surf[i]->format))
+            if (i < PIPE_MAX_COLOR_BUFS && ctx->sub->surf[i] && util_format_is_pure_uint(ctx->sub->surf[i] && ctx->sub->surf[i]->format))
                glClearBufferuiv(GL_COLOR,
                                 i, (GLuint *)color);
-            else if (util_format_is_pure_sint(ctx->sub->surf[i]->format))
+            else if (i < PIPE_MAX_COLOR_BUFS && ctx->sub->surf[i] && util_format_is_pure_sint(ctx->sub->surf[i] && ctx->sub->surf[i]->format))
                glClearBufferiv(GL_COLOR,
                                 i, (GLint *)color);
             else
Index: virglrenderer-0.5.0/src/vrend_renderer.h
===================================================================
--- virglrenderer-0.5.0.orig/src/vrend_renderer.h
+++ virglrenderer-0.5.0/src/vrend_renderer.h
@@ -127,7 +127,7 @@ void vrend_draw_vbo(struct vrend_context
                     uint32_t cso);

void vrend_set_framebuffer_state(struct vrend_context *ctx,
-                                 uint32_t nr_cbufs, uint32_t surf_handle[8],
+                                 uint32_t nr_cbufs, uint32_t surf_handle[PIPE_MAX_COLOR_BUFS],
                                  uint32_t zsurf_handle);

struct vrend_context *vrend_create_context(int id, uint32_t nlen, const char *debug_name);

Places

File 0001-48f67f60-renderer-fix-NULL-pointer-deref-in-vrend_clear.patch of Package virglrenderer

Places