me/guix
Archived
1
0
Fork 0
Code Activity
This repository has been archived on 2024-08-07. You can view files and clone it, but cannot push or open issues or pull requests.
guix/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
Leo Famulari 1e5b8beeff
gnu: virglrenderer: Fix CVE-2017-6386. 
* gnu/packages/patches/virglrenderer-CVE-2017-6386.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/spice.scm (virglrenderer)[source]: Use it.
2017-03-16 19:39:55 -04:00

54 lines
1.7 KiB
Diff
Raw Blame History

Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994
Patch copied from upstream source repository:
https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920
From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Tue, 28 Feb 2017 14:52:09 +1000
Subject: renderer: fix memory leak in vertex elements state create
Reported-by: Li Qiang
Free the vertex array in error path.
This was introduced by this commit:
renderer: fix heap overflow in vertex elements state create.
I rewrote the code to not require the allocation in the first
place if we have an error, seems nicer.
Signed-off-by: Dave Airlie <airlied@redhat.com>
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 1bca7ad..e5d9f5c 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
unsigned num_elements,
const struct pipe_vertex_element *elements)
{
- struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array);
+ struct vrend_vertex_element_array *v;
const struct util_format_description *desc;
GLenum type;
int i;
uint32_t ret_handle;
- if (!v)
- return ENOMEM;
-
if (num_elements > PIPE_MAX_ATTRIBS)
return EINVAL;
+ v = CALLOC_STRUCT(vrend_vertex_element_array);
+ if (!v)
+ return ENOMEM;
+
v->count = num_elements;
for (i = 0; i < num_elements; i++) {
memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));
--
cgit v0.10.2
View git blame Copy permalink