From: Eric Anholt Date: Thu, 3 Jan 2013 19:56:54 +0000 (-0800) Subject: mesa: Validate count parameters when marshalling. X-Git-Tag: upstream/17.1.0~1354 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a76a3cf664f93ca8a0a62281907a3f3342f44054;p=platform%2Fupstream%2Fmesa.git mesa: Validate count parameters when marshalling. Otherwise, for example, glDeleteBuffers(-1, &bo) gets you a segfault instead of GL_INVALID_VALUE. Acked-by: Timothy Arceri Acked-by: Marek Olšák Tested-by: Dieter Nützel Tested-by: Mike Lothian --- diff --git a/src/mapi/glapi/gen/gl_marshal.py b/src/mapi/glapi/gen/gl_marshal.py index b7e05ac..e4137f4 100644 --- a/src/mapi/glapi/gen/gl_marshal.py +++ b/src/mapi/glapi/gen/gl_marshal.py @@ -175,6 +175,19 @@ class PrintCode(gl_XML.gl_print_base): self.print_sync_call(func) out('}') + def validate_count_or_return(self, func): + # Check that any counts for variable-length arguments might be < 0, in + # which case the command alloc or the memcpy would blow up before we + # get to the validation in Mesa core. + for p in func.parameters: + if p.is_variable_length(): + out('if (unlikely({0} < 0)) {{'.format(p.size_string())) + with indent(): + out('_mesa_glthread_finish(ctx);') + out('_mesa_error(ctx, GL_INVALID_VALUE, "{0}({1} < 0)");'.format(func.name, p.size_string())) + out('return;') + out('}') + def print_async_marshal(self, func): out('static void GLAPIENTRY') out('_mesa_marshal_{0}({1})'.format( @@ -191,6 +204,8 @@ class PrintCode(gl_XML.gl_print_base): out('debug_print_marshal("{0}");'.format(func.name)) + self.validate_count_or_return(func) + out('if (cmd_size <= MARSHAL_MAX_CMD_SIZE) {') with indent(): self.print_async_dispatch(func)