video: Avoid potential memory out-of-bounds in vrend_video_decode_bitstream()

Memory out-of-bounds may occur if the structure of picture description on the driver side is different from the device side. Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn> Reviewed-by: Gert Wollny <gert.wollny@collabora.com> Part-of: <https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/940>
author: Feng Jiang <jiangfeng@kylinos.cn> 2022-09-29 12:27:33 +0800
committer: Marge Bot <emma+marge@anholt.net> 2022-10-25 13:18:40 +0000
commit: e5a35ac269a49dac6f94ea34cad0464f5345f38f (patch)
tree: 99d6b991988cc09229e56fac1150550984b3a39b
parent: b3fc980d7fce1946eeb19211982b50250428afaa (diff)
download: virglrenderer-e5a35ac269a49dac6f94ea34cad0464f5345f38f.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/src/vrend_video.c b/src/vrend_video.c
index ab312a8e..38da8ff9 100644
--- a/src/vrend_video.c
+++ b/src/vrend_video.c
@@ -696,8 +696,9 @@ int vrend_video_decode_bitstream(struct vrend_video_context *ctx,
         vrend_printf("%s: desc res %d not found\n", __func__, desc_handle);
         goto err;
     }
-    vrend_read_from_iovec(res->iov, res->num_iovs,
-                          0, (char *)(&desc), sizeof(desc));
+    memset(&desc, 0, sizeof(desc));
+    vrend_read_from_iovec(res->iov, res->num_iovs, 0, (char *)(&desc),
+                          MIN(res->base.width0, sizeof(desc)));
     modify_picture_desc(cdc, tgt, &desc);
 
     err = virgl_video_decode_bitstream(cdc->codec, tgt->buffer, &desc,
author	Feng Jiang <jiangfeng@kylinos.cn>	2022-09-29 12:27:33 +0800
committer	Marge Bot <emma+marge@anholt.net>	2022-10-25 13:18:40 +0000
commit	e5a35ac269a49dac6f94ea34cad0464f5345f38f (patch)
tree	99d6b991988cc09229e56fac1150550984b3a39b
parent	b3fc980d7fce1946eeb19211982b50250428afaa (diff)
download	virglrenderer-e5a35ac269a49dac6f94ea34cad0464f5345f38f.tar.gz