tpl_wl_vk_thread: Fixed bug related to buffer_count to prevent heap-overflow.

author Joonbum Ko <joonbum.ko@samsung.com>

Tue, 20 Nov 2018 06:52:52 +0000 (15:52 +0900)

committer Joonbum Ko <joonbum.ko@samsung.com>

Wed, 21 Nov 2018 05:30:17 +0000 (14:30 +0900)
author Joonbum Ko <joonbum.ko@samsung.com>
Tue, 20 Nov 2018 06:52:52 +0000 (15:52 +0900)
committer Joonbum Ko <joonbum.ko@samsung.com>
Wed, 21 Nov 2018 05:30:17 +0000 (14:30 +0900)
diff --git a/src/tpl_wl_vk_thread.c b/src/tpl_wl_vk_thread.c

index 43f5a84..cb4f549 100644 (file)
--- a/src/tpl_wl_vk_thread.c
+++ b/src/tpl_wl_vk_thread.c
@@ -540,18 +540,28 @@ __tpl_wl_vk_wsi_surface_get_swapchain_buffers(tpl_surface_t *surface,
         TPL_ASSERT(buffer_count);
  
         wayland_vk_wsi_surface = (tpl_wayland_vk_wsi_surface_t *)surface->backend.data;
-       wayland_vk_wsi_surface->swapchain_buffers = (tbm_surface_h *)calloc(
-                                                                               wayland_vk_wsi_surface->buffer_count,
-                                                                               sizeof(tbm_surface_h));
-       if (!wayland_vk_wsi_surface->swapchain_buffers) {
-               TPL_ERR("Failed to allocate memory for buffers.");
-               return TPL_ERROR_OUT_OF_MEMORY;
-       }
-
         wayland_vk_wsi_display = (tpl_wayland_vk_wsi_display_t *)surface->display->backend.data;
  
         if (twe_display_lock(wayland_vk_wsi_display->twe_display) == TPL_ERROR_NONE) {
                 ret = twe_surface_get_swapchain_buffers(wayland_vk_wsi_surface->twe_surface,
+                                                                                               NULL, buffer_count);
+               if (ret != TPL_ERROR_NONE) {
+                       TPL_ERR("Failed to get buffer_count. twe_surface(%p)",
+                                       wayland_vk_wsi_surface->twe_surface);
+                       twe_display_unlock(wayland_vk_wsi_display->twe_display);
+                       return ret;
+               }
+
+               wayland_vk_wsi_surface->swapchain_buffers = (tbm_surface_h *)calloc(
+                                                                               *buffer_count,
+                                                                               sizeof(tbm_surface_h));
+               if (!wayland_vk_wsi_surface->swapchain_buffers) {
+                       TPL_ERR("Failed to allocate memory for buffers.");
+                       twe_display_unlock(wayland_vk_wsi_display->twe_display);
+                       return TPL_ERROR_OUT_OF_MEMORY;
+               }
+
+               ret = twe_surface_get_swapchain_buffers(wayland_vk_wsi_surface->twe_surface,
                                                                                                 wayland_vk_wsi_surface->swapchain_buffers,
                                                                                                 buffer_count);
                 if (ret != TPL_ERROR_NONE) {
@@ -564,14 +574,15 @@ __tpl_wl_vk_wsi_surface_get_swapchain_buffers(tpl_surface_t *surface,
                 }
  
                 for (i = 0; i < *buffer_count; i++) {
-                       TPL_DEBUG("swapchain_buffers[%d] = tbm_surface(%p) bo(%d)",
-                                         i, wayland_vk_wsi_surface->swapchain_buffers[i],
-                                         tbm_bo_export(tbm_surface_internal_get_bo(
-                                                 wayland_vk_wsi_surface->swapchain_buffers[i], 0)));
-                       tbm_surface_internal_ref(wayland_vk_wsi_surface->swapchain_buffers[i]);
+                       if (wayland_vk_wsi_surface->swapchain_buffers[i]) {
+                               TPL_DEBUG("swapchain_buffers[%d] = tbm_surface(%p) bo(%d)",
+                                                 i, wayland_vk_wsi_surface->swapchain_buffers[i],
+                                                 tbm_bo_export(tbm_surface_internal_get_bo(
+                                                         wayland_vk_wsi_surface->swapchain_buffers[i], 0)));
+                               tbm_surface_internal_ref(wayland_vk_wsi_surface->swapchain_buffers[i]);
+                       }
                 }
  
-
                 *buffers = wayland_vk_wsi_surface->swapchain_buffers;
  
                 twe_display_unlock(wayland_vk_wsi_display->twe_display);
author	Joonbum Ko <joonbum.ko@samsung.com>
	Tue, 20 Nov 2018 06:52:52 +0000 (15:52 +0900)
committer	Joonbum Ko <joonbum.ko@samsung.com>
	Wed, 21 Nov 2018 05:30:17 +0000 (14:30 +0900)