Commit bfa6cd74 authored by Marc-André Lureau's avatar Marc-André Lureau Committed by Dave Airlie

renderer: prevent out of bound vps access

Fix found thanks to american fuzzy lop.
Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
parent 18e4808c
......@@ -172,7 +172,7 @@ static int vrend_decode_set_viewport_state(struct vrend_decode_ctx *ctx, int len
{
struct pipe_viewport_state vps[PIPE_MAX_VIEWPORTS];
int i, v;
int num_viewports, start_slot;
uint32_t num_viewports, start_slot;
if (length < 1)
return EINVAL;
......
......@@ -1562,8 +1562,8 @@ void vrend_set_framebuffer_state(struct vrend_context *ctx,
* an FBO already so don't need to invert rendering?
*/
void vrend_set_viewport_states(struct vrend_context *ctx,
int start_slot,
int num_viewports,
uint32_t start_slot,
uint32_t num_viewports,
const struct pipe_viewport_state *state)
{
/* convert back to glViewport */
......@@ -1574,6 +1574,12 @@ void vrend_set_viewport_states(struct vrend_context *ctx,
GLfloat abs_s1 = fabsf(state->scale[1]);
int i, idx;
if (num_viewports > PIPE_MAX_VIEWPORTS ||
start_slot > (PIPE_MAX_VIEWPORTS - num_viewports)) {
report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, num_viewports);
return;
}
for (i = 0; i < num_viewports; i++) {
idx = start_slot + i;
......
......@@ -210,7 +210,7 @@ int vrend_transfer_inline_write(struct vrend_context *ctx,
unsigned usage);
void vrend_set_viewport_states(struct vrend_context *ctx,
int start_slot, int num_viewports,
uint32_t start_slot, uint32_t num_viewports,
const struct pipe_viewport_state *state);
void vrend_set_num_sampler_views(struct vrend_context *ctx,
uint32_t shader_type,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment