gallium/tgsi: fix overflow in parse property
In parse_identifier, it doesn't stop copying '*pcur' untill encounter the NULL. As the 'ret' has a fixed-size buffer, if the '*pcur' has a long string, there will be a buffer overflow. This patch avoid this. Signed-off-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Marek Olšák <marek.olsak@amd.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This commit is contained in:
parent
2c0d849e2d
commit
6205c53303
|
@ -208,14 +208,17 @@ static boolean parse_int( const char **pcur, int *val )
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
static boolean parse_identifier( const char **pcur, char *ret )
|
||||
static boolean parse_identifier( const char **pcur, char *ret, size_t len )
|
||||
{
|
||||
const char *cur = *pcur;
|
||||
int i = 0;
|
||||
if (is_alpha_underscore( cur )) {
|
||||
ret[i++] = *cur++;
|
||||
while (is_alpha_underscore( cur ) || is_digit( cur ))
|
||||
while (is_alpha_underscore( cur ) || is_digit( cur )) {
|
||||
if (i == len - 1)
|
||||
return FALSE;
|
||||
ret[i++] = *cur++;
|
||||
}
|
||||
ret[i++] = '\0';
|
||||
*pcur = cur;
|
||||
return TRUE;
|
||||
|
@ -1787,7 +1790,7 @@ static boolean parse_property( struct translate_ctx *ctx )
|
|||
report_error( ctx, "Syntax error" );
|
||||
return FALSE;
|
||||
}
|
||||
if (!parse_identifier( &ctx->cur, id )) {
|
||||
if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
|
||||
report_error( ctx, "Syntax error" );
|
||||
return FALSE;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue