KonstantinSeurer
/
mesa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gallium/tgsi: fix overflow in parse property 

In parse_identifier, it doesn't stop copying '*pcur'
untill encounter the NULL. As the 'ret' has a
fixed-size buffer, if the '*pcur' has a long string,
there will be a buffer overflow. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Marek Olšák <marek.olsak@amd.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This commit is contained in:
Li Qiang 2017-01-10 03:56:31 -05:00 committed by Marek Olšák
parent 2c0d849e2d
commit 6205c53303
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/gallium/auxiliary/tgsi/tgsi_text.c
View File

@ -208,14 +208,17 @@ static boolean parse_int( const char **pcur, int *val )
return FALSE;
}
static boolean parse_identifier( const char **pcur, char *ret )
static boolean parse_identifier( const char **pcur, char *ret, size_t len )
{
const char *cur = *pcur;
int i = 0;
if (is_alpha_underscore( cur )) {
ret[i++] = *cur++;
while (is_alpha_underscore( cur ) || is_digit( cur ))
while (is_alpha_underscore( cur ) || is_digit( cur )) {
if (i == len - 1)
return FALSE;
ret[i++] = *cur++;
}
ret[i++] = '\0';
*pcur = cur;
return TRUE;
@ -1787,7 +1790,7 @@ static boolean parse_property( struct translate_ctx *ctx )
report_error( ctx, "Syntax error" );
return FALSE;
}
if (!parse_identifier( &ctx->cur, id )) {
if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
report_error( ctx, "Syntax error" );
return FALSE;
}