mesa: fix out of bounds access in glGetFramebufferParameterivEXT
authorMarcin Ślusarz <marcin.slusarz@intel.com>
Fri, 24 Jul 2020 17:19:07 +0000 (19:19 +0200)
committerMarge Bot <eric+marge@anholt.net>
Thu, 30 Jul 2020 10:41:00 +0000 (10:41 +0000)
ColorDrawBuffer is an array of MAX_DRAW_BUFFERS == 8.

Found by Coverity.

Signed-off-by: Marcin Ślusarz <marcin.slusarz@intel.com>
Fixes: 7534c536ca0 ("mesa: add EXT_dsa (Named)Framebuffer functions")
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6067>

src/mesa/main/fbobject.c

index 2f2c7dc45a97e74d12e4a073d72376505ae489dd..55f2fe9bf426dacc1da587562ee8a4181ac3d252 100644 (file)
@@ -4814,7 +4814,11 @@ _mesa_GetFramebufferParameterivEXT(GLuint framebuffer, GLenum pname,
          *param = fb->ColorReadBuffer;
       }
       else if (GL_DRAW_BUFFER0 <= pname && pname <= GL_DRAW_BUFFER15) {
          *param = fb->ColorReadBuffer;
       }
       else if (GL_DRAW_BUFFER0 <= pname && pname <= GL_DRAW_BUFFER15) {
-         *param = fb->ColorDrawBuffer[pname - GL_DRAW_BUFFER0];
+         unsigned buffer = pname - GL_DRAW_BUFFER0;
+         if (buffer < ARRAY_SIZE(fb->ColorDrawBuffer))
+            *param = fb->ColorDrawBuffer[buffer];
+         else
+            _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)");
       }
       else {
          _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)");
       }
       else {
          _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)");