decode: check relation of offlen and length with shader creation (!918) · Merge requests · virgl / virglrenderer

Gert Wollny requested to merge gerddie/virglrenderer:submit-check-shader-offset into master Sep 07, 2022

This fixes a heap-buffer-overflow:

  AddressSanitizer: heap-buffer-overflow
  WRITE of size 120 at 0x6020000295d1 thread T0
    #0 in __asan_memcpy (/usr/libexec/fuzzers/virgl_fuzzer+0x12c0a9) (BuildId: d3f901c180f5ad18)
    #1 in vrend_create_shader src/vrend_renderer.c:4227:6
    #2 in vrend_decode_create_shader src/vrend_decode.c:129:10
    #3 in vrend_decode_create_object src/vrend_decode.c:783:13
    #4 in vrend_decode_ctx_submit_cmd src/vrend_decode.c:1919:13
    #5 virgl_renderer_submit_cmd src/virglrenderer.c:426:11

Edited Sep 07, 2022 by Gert Wollny

decode: check relation of offlen and length with shader creation

Merge request reports