From 043905990f611a150f02d6ef8e0da2353b5705dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Thu, 21 Jan 2016 14:28:53 +0100
Subject: [PATCH] renderer: over-allocate shader buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since the memcpy() is done over multiple of 4 bytes, over-allocate the
destination buffer to fit multiple of 4 shader length.

Fix found thanks to american fuzzy lop.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/vrend_renderer.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 05a2ed7..78792d7 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -2155,12 +2155,12 @@ int vrend_create_shader(struct vrend_context *ctx,
        return ENOMEM;
 
      if (long_shader) {
-        sel->tmp_buf = malloc(offlen);
+        sel->buf_len = ((offlen + 3) / 4) * 4; /* round up buffer size */
+        sel->tmp_buf = malloc(sel->buf_len);
         if (!sel->tmp_buf) {
            free(sel);
            return ENOMEM;
         }
-        sel->buf_len = offlen;
         memcpy(sel->tmp_buf, shd_text, pkt_length * 4);
         sel->buf_offset = pkt_length * 4;
         ctx->sub->long_shader_in_progress_handle[type] = handle;
-- 
GitLab