Commit 775f5ed6 authored by Marc-André Lureau's avatar Marc-André Lureau Committed by Dave Airlie

renderer: validate shader_type value

Fix found thanks to american fuzzy lop.
Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
parent ddb49b59
...@@ -898,6 +898,9 @@ static int vrend_decode_bind_sampler_states(struct vrend_decode_ctx *ctx, int le ...@@ -898,6 +898,9 @@ static int vrend_decode_bind_sampler_states(struct vrend_decode_ctx *ctx, int le
if (length < 2) if (length < 2)
return EINVAL; return EINVAL;
if (shader_type >= PIPE_SHADER_TYPES)
return EINVAL;
vrend_bind_sampler_states(ctx->grctx, shader_type, start_slot, num_states, vrend_bind_sampler_states(ctx->grctx, shader_type, start_slot, num_states,
get_buf_ptr(ctx, VIRGL_BIND_SAMPLER_STATES_S0_HANDLE)); get_buf_ptr(ctx, VIRGL_BIND_SAMPLER_STATES_S0_HANDLE));
return 0; return 0;
......
...@@ -3407,6 +3407,11 @@ void vrend_bind_sampler_states(struct vrend_context *ctx, ...@@ -3407,6 +3407,11 @@ void vrend_bind_sampler_states(struct vrend_context *ctx,
int i; int i;
struct vrend_sampler_state *state; struct vrend_sampler_state *state;
if (shader_type >= PIPE_SHADER_TYPES) {
report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, shader_type);
return;
}
ctx->sub->num_sampler_states[shader_type] = num_states; ctx->sub->num_sampler_states[shader_type] = num_states;
for (i = 0; i < num_states; i++) { for (i = 0; i < num_states; i++) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment