From cbc8d8b75be360236cada63784046688aeb6d921 Mon Sep 17 00:00:00 2001
From: Gert Wollny <gert.wollny@collabora.com>
Date: Tue, 8 Oct 2019 16:51:11 +0200
Subject: [PATCH] vrend: check transfer bounds for negative values too and
 report error

Closes #138

Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
---
 src/virgl_hw.h       |  1 +
 src/vrend_renderer.c | 16 ++++++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/virgl_hw.h b/src/virgl_hw.h
index 82b0ccc..5656795 100644
--- a/src/virgl_hw.h
+++ b/src/virgl_hw.h
@@ -380,6 +380,7 @@ enum virgl_ctx_errors {
         VIRGL_ERROR_CTX_ILLEGAL_VERTEX_FORMAT,
         VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER,
         VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
+        VIRGL_ERROR_CTX_TRANSFER_IOV_BOUNDS,
 };
 
 
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 10c60ec..57f446d 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -643,7 +643,7 @@ static inline const char *pipe_shader_to_prefix(int shader_type)
    };
 }
 
-static const char *vrend_ctx_error_strings[] = { "None", "Unknown", "Illegal shader", "Illegal handle", "Illegal resource", "Illegal surface", "Illegal vertex format", "Illegal command buffer", "Illegal format ID"  };
+static const char *vrend_ctx_error_strings[] = { "None", "Unknown", "Illegal shader", "Illegal handle", "Illegal resource", "Illegal surface", "Illegal vertex format", "Illegal command buffer", "Illegal format ID", "IOV data size exceeds resource capacity" };
 
 static void __report_context_error(const char *fname, struct vrend_context *ctx, enum virgl_ctx_errors error, uint32_t value)
 {
@@ -5969,7 +5969,7 @@ static bool check_transfer_bounds(struct vrend_resource *res,
       return false;
    /* these will catch bad y/z/w/d with 1D textures etc */
    lwidth = u_minify(res->base.width0, info->level);
-   if (info->box->width > lwidth)
+   if (info->box->width > lwidth || info->box->width < 0)
       return false;
    if (info->box->x > lwidth)
       return false;
@@ -5977,7 +5977,7 @@ static bool check_transfer_bounds(struct vrend_resource *res,
       return false;
 
    lheight = u_minify(res->base.height0, info->level);
-   if (info->box->height > lheight)
+   if (info->box->height > lheight || info->box->height < 0)
       return false;
    if (info->box->y > lheight)
       return false;
@@ -5986,7 +5986,7 @@ static bool check_transfer_bounds(struct vrend_resource *res,
 
    if (res->base.target == PIPE_TEXTURE_3D) {
       int ldepth = u_minify(res->base.depth0, info->level);
-      if (info->box->depth > ldepth)
+      if (info->box->depth > ldepth || info->box->depth < 0)
          return false;
       if (info->box->z > ldepth)
          return false;
@@ -6651,11 +6651,15 @@ int vrend_renderer_transfer_iov(const struct vrend_transfer_info *info,
       return EINVAL;
    }
 
-   if (!check_transfer_bounds(res, info))
+   if (!check_transfer_bounds(res, info)) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_TRANSFER_IOV_BOUNDS, res->id);
       return EINVAL;
+   }
 
-   if (!check_iov_bounds(res, info, iov, num_iovs))
+   if (!check_iov_bounds(res, info, iov, num_iovs)) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_TRANSFER_IOV_BOUNDS, res->id);
       return EINVAL;
+   }
 
    vrend_hw_switch_context(vrend_lookup_renderer_ctx(0), true);
 
-- 
1.8.3.1