decode: check we don't reach MAX_VIEWPORTS

Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

decode: check we don't reach MAX_VIEWPORTS
Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2aa6c5bc · Marc-André Lureau · Dave Airlie · e0e423aa · 2aa6c5bc
Commit 2aa6c5bc authored Jan 19, 2016 by Marc-André Lureau Committed by Dave Airlie Feb 10, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

src/vrend_decode.c src/vrend_decode.c +4 -2

No files found.
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -180,10 +180,12 @@ static int vrend_decode_set_viewport_state(struct vrend_decode_ctx *ctx, int len
      return EINVAL;

   num_viewports = (length - 1) / 6;
-   if (num_viewports > PIPE_MAX_VIEWPORTS)
+   start_slot = get_buf_entry(ctx, VIRGL_SET_VIEWPORT_START_SLOT);
+
+   if (num_viewports > PIPE_MAX_VIEWPORTS ||
+       start_slot > (PIPE_MAX_VIEWPORTS - num_viewports))
      return EINVAL;

-   start_slot = get_buf_entry(ctx, VIRGL_SET_VIEWPORT_START_SLOT);
   for (v = 0; v < num_viewports; v++) {
      for (i = 0; i < 3; i++)
         vps[v].scale[i] = uif(get_buf_entry(ctx, VIRGL_SET_VIEWPORT_STATE_SCALE_0(v) + i));