diff options
Diffstat (limited to 'meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch')
-rw-r--r-- | meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch new file mode 100644 index 0000000000..cc641d8293 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch @@ -0,0 +1,51 @@ +From 2abeb1802e3c005b17a7123e382171b3fb665971 Mon Sep 17 00:00:00 2001 +From: Gert Wollny <gert.wollny@collabora.com> +Date: Tue, 8 Oct 2019 17:27:01 +0200 +Subject: [PATCH] vrend: check that the transfer iov holds enough data for the + data upload + +Closes #140 + +Signed-off-by: Gert Wollny <gert.wollny@collabora.com> +Reviewed-by: Emil Velikov <emil.velikov@collabora.com> + +Upstream-Status: Backport +[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/2abeb1802e3c005b17a7123e382171b3fb665971] +CVE: CVE-2019-18391 +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> +--- + src/vrend_renderer.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c +index 694e1d0e..fe23846b 100644 +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -7005,15 +7005,22 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx, + invert = true; + } + ++ send_size = util_format_get_nblocks(res->base.format, info->box->width, ++ info->box->height) * elsize; ++ if (res->target == GL_TEXTURE_3D || ++ res->target == GL_TEXTURE_2D_ARRAY || ++ res->target == GL_TEXTURE_CUBE_MAP_ARRAY) ++ send_size *= info->box->depth; ++ + if (need_temp) { +- send_size = util_format_get_nblocks(res->base.format, info->box->width, +- info->box->height) * elsize * info->box->depth; + data = malloc(send_size); + if (!data) + return ENOMEM; + read_transfer_data(iov, num_iovs, data, res->base.format, info->offset, + stride, layer_stride, info->box, invert); + } else { ++ if (send_size > iov[0].iov_len - info->offset) ++ return EINVAL; + data = (char*)iov[0].iov_base + info->offset; + } + +-- +2.24.1 + |