From a76a3cf664f93ca8a0a62281907a3f3342f44054 Mon Sep 17 00:00:00 2001 From: Eric Anholt Date: Thu, 3 Jan 2013 11:56:54 -0800 Subject: [PATCH] mesa: Validate count parameters when marshalling. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Otherwise, for example, glDeleteBuffers(-1, &bo) gets you a segfault instead of GL_INVALID_VALUE. Acked-by: Timothy Arceri Acked-by: Marek Olšák Tested-by: Dieter Nützel Tested-by: Mike Lothian --- src/mapi/glapi/gen/gl_marshal.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/mapi/glapi/gen/gl_marshal.py b/src/mapi/glapi/gen/gl_marshal.py index b7e05acb133..e4137f46abe 100644 --- a/src/mapi/glapi/gen/gl_marshal.py +++ b/src/mapi/glapi/gen/gl_marshal.py @@ -175,6 +175,19 @@ class PrintCode(gl_XML.gl_print_base): self.print_sync_call(func) out('}') + def validate_count_or_return(self, func): + # Check that any counts for variable-length arguments might be < 0, in + # which case the command alloc or the memcpy would blow up before we + # get to the validation in Mesa core. + for p in func.parameters: + if p.is_variable_length(): + out('if (unlikely({0} < 0)) {{'.format(p.size_string())) + with indent(): + out('_mesa_glthread_finish(ctx);') + out('_mesa_error(ctx, GL_INVALID_VALUE, "{0}({1} < 0)");'.format(func.name, p.size_string())) + out('return;') + out('}') + def print_async_marshal(self, func): out('static void GLAPIENTRY') out('_mesa_marshal_{0}({1})'.format( @@ -191,6 +204,8 @@ class PrintCode(gl_XML.gl_print_base): out('debug_print_marshal("{0}");'.format(func.name)) + self.validate_count_or_return(func) + out('if (cmd_size <= MARSHAL_MAX_CMD_SIZE) {') with indent(): self.print_async_dispatch(func) -- 2.30.2