| 1 |
From 0dd88cf9aefcfc301002b128163ec740368c2537 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Kevin Strasser <kevin.strasser@intel.com> |
| 3 |
Date: Mon, 28 Jan 2019 10:42:44 -0800 |
| 4 |
Subject: [PATCH 07/22] egl/dri: Avoid out of bounds array access |
| 5 |
|
| 6 |
indexConfigAttrib iterates over every index in the dri driver, possibly |
| 7 |
exceeding __DRI_ATTRIB_MAX. In other words, if the dri driver has newer |
| 8 |
attributes libEGL will end up reading from uninitialized memory through |
| 9 |
dri2_to_egl_attribute_map[]. |
| 10 |
|
| 11 |
Signed-off-by: Kevin Strasser <kevin.strasser@intel.com> |
| 12 |
Cc: mesa-stable@lists.freedesktop.org |
| 13 |
Reviewed-by: Emil Velikov <emil.velikov@collabora.com> |
| 14 |
(cherry picked from commit 70b36c0ef939048acb9c4727b2e4280fc090eb74) |
| 15 |
--- |
| 16 |
src/egl/drivers/dri2/egl_dri2.c | 6 ++++-- |
| 17 |
1 file changed, 4 insertions(+), 2 deletions(-) |
| 18 |
|
| 19 |
diff --git a/src/egl/drivers/dri2/egl_dri2.c b/src/egl/drivers/dri2/egl_dri2.c |
| 20 |
index c98b9a5d18a..645d7257406 100644 |
| 21 |
--- a/src/egl/drivers/dri2/egl_dri2.c |
| 22 |
+++ b/src/egl/drivers/dri2/egl_dri2.c |
| 23 |
@@ -199,8 +199,10 @@ dri2_add_config(_EGLDisplay *disp, const __DRIconfig *dri_config, int id, |
| 24 |
bind_to_texture_rgb = 0; |
| 25 |
bind_to_texture_rgba = 0; |
| 26 |
|
| 27 |
- for (int i = 0; dri2_dpy->core->indexConfigAttrib(dri_config, i, &attrib, |
| 28 |
- &value); ++i) { |
| 29 |
+ for (int i = 0; i < __DRI_ATTRIB_MAX; ++i) { |
| 30 |
+ if (!dri2_dpy->core->indexConfigAttrib(dri_config, i, &attrib, &value)) |
| 31 |
+ break; |
| 32 |
+ |
| 33 |
switch (attrib) { |
| 34 |
case __DRI_ATTRIB_RENDER_TYPE: |
| 35 |
if (value & __DRI_ATTRIB_RGBA_BIT) |
| 36 |
-- |
| 37 |
2.21.0 |
| 38 |
|
Parent Directory
| 
Revision Log