File 0011-93761787-renderer-fix-integer-overflow-in-... of Package virglrenderer

Overview Repositories Revisions Requests Users Attributes Meta

File 0011-93761787-renderer-fix-integer-overflow-in-create-shader.patch of Package virglrenderer

From 93761787b29f37fa627dea9082cdfc1a1ec608d6 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Sat, 7 Jan 2017 06:21:09 -0500
Subject: [PATCH] renderer: fix integer overflow in create shader

As the 'pkt_length' and 'offlen' can be malicious from guest,
the vrend_create_shader function has an integer overflow, this
will make the next 'memcpy' oob access. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Index: virglrenderer-0.5.0/src/vrend_renderer.c
===================================================================
--- virglrenderer-0.5.0.orig/src/vrend_renderer.c
+++ virglrenderer-0.5.0/src/vrend_renderer.c
@@ -2214,6 +2214,15 @@ int vrend_create_shader(struct vrend_con
          ret = EINVAL;
          goto error;
       }
+
+      /*make sure no overflow */
+      if (pkt_length * 4 < pkt_length ||
+          pkt_length * 4 + sel->buf_offset < pkt_length * 4 ||
+          pkt_length * 4 + sel->buf_offset < sel->buf_offset) {
+            ret = EINVAL;
+            goto error;
+          }
+
       if ((pkt_length * 4 + sel->buf_offset) > sel->buf_len) {
          fprintf(stderr, "Got too large shader continuation %d vs %d\n",
                  pkt_length * 4 + sel->buf_offset, sel->buf_len);

Places

File 0011-93761787-renderer-fix-integer-overflow-in-create-shader.patch of Package virglrenderer

Places