Module: Mesa Branch: master Commit: 6205c533030687c9680f5175e8158060c6e24221 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=6205c533030687c9680f5175e8158060c6e24221
Author: Li Qiang <[email protected]> Date: Tue Jan 10 03:56:31 2017 -0500 gallium/tgsi: fix overflow in parse property In parse_identifier, it doesn't stop copying '*pcur' untill encounter the NULL. As the 'ret' has a fixed-size buffer, if the '*pcur' has a long string, there will be a buffer overflow. This patch avoid this. Signed-off-by: Li Qiang <[email protected]> Signed-off-by: Marek Olšák <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> --- src/gallium/auxiliary/tgsi/tgsi_text.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/gallium/auxiliary/tgsi/tgsi_text.c b/src/gallium/auxiliary/tgsi/tgsi_text.c index 1b4f594..308e6b5 100644 --- a/src/gallium/auxiliary/tgsi/tgsi_text.c +++ b/src/gallium/auxiliary/tgsi/tgsi_text.c @@ -208,14 +208,17 @@ static boolean parse_int( const char **pcur, int *val ) return FALSE; } -static boolean parse_identifier( const char **pcur, char *ret ) +static boolean parse_identifier( const char **pcur, char *ret, size_t len ) { const char *cur = *pcur; int i = 0; if (is_alpha_underscore( cur )) { ret[i++] = *cur++; - while (is_alpha_underscore( cur ) || is_digit( cur )) + while (is_alpha_underscore( cur ) || is_digit( cur )) { + if (i == len - 1) + return FALSE; ret[i++] = *cur++; + } ret[i++] = '\0'; *pcur = cur; return TRUE; @@ -1787,7 +1790,7 @@ static boolean parse_property( struct translate_ctx *ctx ) report_error( ctx, "Syntax error" ); return FALSE; } - if (!parse_identifier( &ctx->cur, id )) { + if (!parse_identifier( &ctx->cur, id, sizeof(id) )) { report_error( ctx, "Syntax error" ); return FALSE; } _______________________________________________ mesa-commit mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/mesa-commit
