mesa: Validate count parameters when marshalling.

Otherwise, for example, glDeleteBuffers(-1, &bo) gets you a segfault
instead of GL_INVALID_VALUE.

Acked-by: Timothy Arceri <tarceri@itsqueeze.com>
Acked-by: Marek Olšák <maraeo@gmail.com>
Tested-by: Dieter Nützel <Dieter@nuetzel-hh.de>
Tested-by: Mike Lothian <mike@fireburn.co.uk>

diff --git a/src/mapi/glapi/gen/gl_marshal.py b/src/mapi/glapi/gen/gl_marshal.py
index b7e05acb133144f65436c6080d5f0b92e5d0a8ec..e4137f46abe2242a842f88fa7fcdec63fe1939a5 100644 (file)
--- a/src/mapi/glapi/gen/gl_marshal.py
+++ b/src/mapi/glapi/gen/gl_marshal.py
@@ -175,6 +175,19 @@ class PrintCode(gl_XML.gl_print_base):
             self.print_sync_call(func)
         out('}')
 
+    def validate_count_or_return(self, func):
+        # Check that any counts for variable-length arguments might be < 0, in
+        # which case the command alloc or the memcpy would blow up before we
+        # get to the validation in Mesa core.
+        for p in func.parameters:
+            if p.is_variable_length():
+                out('if (unlikely({0} < 0)) {{'.format(p.size_string()))
+                with indent():
+                    out('_mesa_glthread_finish(ctx);')
+                    out('_mesa_error(ctx, GL_INVALID_VALUE, "{0}({1} < 0)");'.format(func.name, p.size_string()))
+                    out('return;')
+                out('}')
+
     def print_async_marshal(self, func):
         out('static void GLAPIENTRY')
         out('_mesa_marshal_{0}({1})'.format(
@@ -191,6 +204,8 @@ class PrintCode(gl_XML.gl_print_base):
 
             out('debug_print_marshal("{0}");'.format(func.name))
 
+            self.validate_count_or_return(func)
+
             out('if (cmd_size <= MARSHAL_MAX_CMD_SIZE) {')
             with indent():
                 self.print_async_dispatch(func)