vrend: fix buffer overflow in _mesa_DebugMessageInsert (!566) · Merge requests · virgl / virglrenderer

Ryan Neph requested to merge ryanneph/virglrenderer:rn-fix-buffer-overflow into master Jul 23, 2021

Detected by fuzzer.

glDebugMessageInsert() expects either a char buffer and non-negative length, or a null-terminated c-string and negative length. If a non-null-terminated buffer is passed with a negative length, mesa attempts to determine the length with strlen() and accesses out of bounds memory.

To support both, if the length is negative, force the last byte to '\0' before calling glDebugMessageInsert().

Signed-off-by: Ryan Neph ryanneph@google.com

Admin message

vrend: fix buffer overflow in _mesa_DebugMessageInsert

Merge request reports