From 775f5ed62a4eb3ceb4960a0cd4292a14883f86d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 19 Jan 2016 01:06:55 +0100
Subject: [PATCH] renderer: validate shader_type value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix found thanks to american fuzzy lop.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/vrend_decode.c   | 3 +++
 src/vrend_renderer.c | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index a5467e3..ff15f35 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -898,6 +898,9 @@ static int vrend_decode_bind_sampler_states(struct vrend_decode_ctx *ctx, int le
    if (length < 2)
       return EINVAL;
 
+   if (shader_type >= PIPE_SHADER_TYPES)
+      return EINVAL;
+
    vrend_bind_sampler_states(ctx->grctx, shader_type, start_slot, num_states,
                              get_buf_ptr(ctx, VIRGL_BIND_SAMPLER_STATES_S0_HANDLE));
    return 0;
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index ab60729..fcd79c5 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -3407,6 +3407,11 @@ void vrend_bind_sampler_states(struct vrend_context *ctx,
    int i;
    struct vrend_sampler_state *state;
 
+   if (shader_type >= PIPE_SHADER_TYPES) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, shader_type);
+      return;
+   }
+
    ctx->sub->num_sampler_states[shader_type] = num_states;
 
    for (i = 0; i < num_states; i++) {
-- 
GitLab