Commit 04390599 authored by Marc-André Lureau's avatar Marc-André Lureau Committed by Dave Airlie

renderer: over-allocate shader buffer

Since the memcpy() is done over multiple of 4 bytes, over-allocate the
destination buffer to fit multiple of 4 shader length.

Fix found thanks to american fuzzy lop.
Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
parent e215bde7
...@@ -2155,12 +2155,12 @@ int vrend_create_shader(struct vrend_context *ctx, ...@@ -2155,12 +2155,12 @@ int vrend_create_shader(struct vrend_context *ctx,
return ENOMEM; return ENOMEM;
if (long_shader) { if (long_shader) {
sel->tmp_buf = malloc(offlen); sel->buf_len = ((offlen + 3) / 4) * 4; /* round up buffer size */
sel->tmp_buf = malloc(sel->buf_len);
if (!sel->tmp_buf) { if (!sel->tmp_buf) {
free(sel); free(sel);
return ENOMEM; return ENOMEM;
} }
sel->buf_len = offlen;
memcpy(sel->tmp_buf, shd_text, pkt_length * 4); memcpy(sel->tmp_buf, shd_text, pkt_length * 4);
sel->buf_offset = pkt_length * 4; sel->buf_offset = pkt_length * 4;
ctx->sub->long_shader_in_progress_handle[type] = handle; ctx->sub->long_shader_in_progress_handle[type] = handle;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment