ctx_attribs had room for 3 pairs of attributes, but if both flags & reset attributes were being returned it was storing 4 pairs in the array.
Found by Coverity #53442: Out-of-bounds write This could cause an immediate crash or incorrect computations. In create_driver_context: Out-of-bounds write to a buffer (CWE-119) Signed-off-by: Alan Coopersmith <[email protected]> --- glx/glxdri2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/glx/glxdri2.c b/glx/glxdri2.c index c756bf5..5a8966f 100644 --- a/glx/glxdri2.c +++ b/glx/glxdri2.c @@ -475,7 +475,7 @@ create_driver_context(__GLXDRIcontext * context, context->driContext = NULL; if (screen->dri2->base.version >= 3) { - uint32_t ctx_attribs[3 * 2]; + uint32_t ctx_attribs[4 * 2]; unsigned num_ctx_attribs = 0; unsigned dri_err = 0; unsigned major_ver; @@ -510,6 +510,8 @@ create_driver_context(__GLXDRIcontext * context, __DRI_CTX_ATTRIB_RESET_STRATEGY; ctx_attribs[num_ctx_attribs++] = reset; } + + assert(num_ctx_attribs <= ARRAY_SIZE(ctx_attribs)); } context->driContext = -- 1.7.9.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
