packages/virglrenderer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
virglrenderer/backport-CVE-2019-18391.patch

47 lines
1.7 KiB
Diff
Raw Permalink Blame History

From 2abeb1802e3c005b17a7123e382171b3fb665971 Mon Sep 17 00:00:00 2001
From: Gert Wollny <gert.wollny@collabora.com>
Date: Tue, 8 Oct 2019 17:27:01 +0200
Subject: [PATCH] vrend: check that the transfer iov holds enough data for the
data upload
Closes #140
Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
---
src/vrend_renderer.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 57f446d..8801f94 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -6115,15 +6115,22 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
invert = true;
}
+ send_size = util_format_get_nblocks(res->base.format, info->box->width,
+ info->box->height) * elsize;
+ if (res->target == GL_TEXTURE_3D ||
+ res->target == GL_TEXTURE_2D_ARRAY ||
+ res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+ send_size *= info->box->depth;
+
if (need_temp) {
- send_size = util_format_get_nblocks(res->base.format, info->box->width,
- info->box->height) * elsize * info->box->depth;
data = malloc(send_size);
if (!data)
return ENOMEM;
read_transfer_data(&res->base, iov, num_iovs, data, stride,
info->box, info->level, info->offset, invert);
} else {
+ if (send_size > iov[0].iov_len - info->offset)
+ return EINVAL;
data = (char*)iov[0].iov_base + info->offset;
}
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink