diff options
author | Feng Jiang <jiangfeng@kylinos.cn> | 2022-09-29 12:27:33 +0800 |
---|---|---|
committer | Marge Bot <emma+marge@anholt.net> | 2022-10-25 13:18:40 +0000 |
commit | e5a35ac269a49dac6f94ea34cad0464f5345f38f (patch) | |
tree | 99d6b991988cc09229e56fac1150550984b3a39b | |
parent | b3fc980d7fce1946eeb19211982b50250428afaa (diff) | |
download | virglrenderer-e5a35ac269a49dac6f94ea34cad0464f5345f38f.tar.gz |
video: Avoid potential memory out-of-bounds in vrend_video_decode_bitstream()
Memory out-of-bounds may occur if the structure of picture description
on the driver side is different from the device side.
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
Reviewed-by: Gert Wollny <gert.wollny@collabora.com>
Part-of: <https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/940>
-rw-r--r-- | src/vrend_video.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/vrend_video.c b/src/vrend_video.c index ab312a8e..38da8ff9 100644 --- a/src/vrend_video.c +++ b/src/vrend_video.c @@ -696,8 +696,9 @@ int vrend_video_decode_bitstream(struct vrend_video_context *ctx, vrend_printf("%s: desc res %d not found\n", __func__, desc_handle); goto err; } - vrend_read_from_iovec(res->iov, res->num_iovs, - 0, (char *)(&desc), sizeof(desc)); + memset(&desc, 0, sizeof(desc)); + vrend_read_from_iovec(res->iov, res->num_iovs, 0, (char *)(&desc), + MIN(res->base.width0, sizeof(desc))); modify_picture_desc(cdc, tgt, &desc); err = virgl_video_decode_bitstream(cdc->codec, tgt->buffer, &desc, |