mesa: fix buffer overflow related to _mesa_program_resource_find_name() (!22662) · Merge requests · Mesa / mesa

Patrick Lerda requested to merge noblock/mesa:mesafixmesaprogramresourcefindname into main Apr 24, 2023

Indeed, _mesa_program_resource_find_name() doesn't check the length of the string "name" which leads to a possible buffer overflow.

This change fixes a random behavior and the following piglit subtest: PIGLIT: {"subtest": {"'vs_input2' on GL_PROGRAM_INPUT" : "fail"}}

For instance, this is triggered with "piglit/bin/arb_program_interface_query-getprogramresourceindex -auto":

==23070==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000040470c at pc 0x7f435a4cdd10 bp 0x7ffd755df730 sp 0x7ffd755df728
READ of size 1 at 0x00000040470c thread T0
    #0 0x7f435a4cdd0f in _mesa_program_resource_find_name ../src/mesa/main/shader_query.cpp:744
    #1 0x7f435a685f28 in _mesa_GetProgramResourceIndex ../src/mesa/main/program_resource.c:199
...
0x00000040470c is located 2 bytes to the right of global variable '*.LC28' defined in 'piglit/tests/spec/arb_program_interface_query/getprogramresourceindex.c' (0x404700) of size 10
  '*.LC28' is ascii string 'vs_input2'
0x00000040470c is located 52 bytes to the left of global variable '*.LC29' defined in 'piglit/tests/spec/arb_program_interface_query/getprogramresourceindex.c' (0x404740) of size 13
  '*.LC29' is ascii string 'vs_input2[0]'

Fixes: 4b67055f ("mesa: rename locals in _mesa_program_resource_find_name for clarity")

Signed-off-by: Patrick Lerda patrick9876@free.fr

mesa: fix buffer overflow related to _mesa_program_resource_find_name()

Merge request reports