Module: Mesa
Branch: master
Commit: a1c5cd426c0381124f7c320d5a7b760a9a36af75
URL:
http://cgit.freedesktop.org/mesa/mesa/commit/?id=a1c5cd426c0381124f7c320d5a7b760a9a36af75
Author: Adam Jackson <a...@redhat.com>
Date: Tue May 24 15:45:11 2016 -0400
glapi/glx: Add overflow checks to the client-side indirect code
Coverity complains that the computed sizes can lead to negative lengths
passed to memcpy. If that happens we've been handed invalid arguments
anyway, so just bomb out.
The funky "0%s" is because the size string for the variable-length part
of the request is of the form "+ safe_pad() ...", and a unary + would
coerce the result to always be positive, defeating the overflow check.
Signed-off-by: Adam Jackson <a...@redhat.com>
Reviewed-by: Matt Turner <matts...@gmail.com>
---
src/mapi/glapi/gen/glX_proto_send.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/mapi/glapi/gen/glX_proto_send.py
b/src/mapi/glapi/gen/glX_proto_send.py
index 10abcff..26e7ab6 100644
--- a/src/mapi/glapi/gen/glX_proto_send.py
+++ b/src/mapi/glapi/gen/glX_proto_send.py
@@ -635,6 +635,15 @@ generic_%u_byte( GLint rop, const void * ptr )
if name != None and name not in f.glx_vendorpriv_names:
print '#endif'
+ if f.command_variable_length() != "":
+ print " if (0%s < 0) {" % f.command_variable_length()
+ print " __glXSetError(gc, GL_INVALID_VALUE);"
+ if f.return_type != 'void':
+ print " return 0;"
+ else:
+ print " return;"
+ print " }"
+
condition_list = []
for p in f.parameterIterateCounters():
condition_list.append( "%s >= 0" % (p.name) )
_______________________________________________
mesa-commit mailing list
mesa-commit@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-commit
