linux-dmabuf: fix bound checks for stride and height

- Fix bound checking for offset + stride * height
- Make offset bound checking more consistent
- Reject zero strides
This commit is contained in:
emersion 2018-05-30 17:18:51 +01:00
parent 135721118a
commit f90b024ad0
No known key found for this signature in database
GPG key ID: 0FDE7BE0E88F5E48

View file

@ -207,7 +207,7 @@ static void params_create_common(struct wl_client *client,
// Skip checks if kernel does no support seek on buffer // Skip checks if kernel does no support seek on buffer
continue; continue;
} }
if (buffer->attributes.offset[i] >= size) { if (buffer->attributes.offset[i] > size) {
wl_resource_post_error(params_resource, wl_resource_post_error(params_resource,
ZWP_LINUX_BUFFER_PARAMS_V1_ERROR_OUT_OF_BOUNDS, ZWP_LINUX_BUFFER_PARAMS_V1_ERROR_OUT_OF_BOUNDS,
"invalid offset %i for plane %d", "invalid offset %i for plane %d",
@ -215,7 +215,8 @@ static void params_create_common(struct wl_client *client,
goto err_out; goto err_out;
} }
if (buffer->attributes.offset[i] + buffer->attributes.stride[i] > size) { if (buffer->attributes.offset[i] + buffer->attributes.stride[i] > size ||
buffer->attributes.stride[i] == 0) {
wl_resource_post_error(params_resource, wl_resource_post_error(params_resource,
ZWP_LINUX_BUFFER_PARAMS_V1_ERROR_OUT_OF_BOUNDS, ZWP_LINUX_BUFFER_PARAMS_V1_ERROR_OUT_OF_BOUNDS,
"invalid stride %i for plane %d", "invalid stride %i for plane %d",
@ -225,7 +226,7 @@ static void params_create_common(struct wl_client *client,
// planes > 0 might be subsampled according to fourcc format // planes > 0 might be subsampled according to fourcc format
if (i == 0 && buffer->attributes.offset[i] + if (i == 0 && buffer->attributes.offset[i] +
buffer->attributes.stride[i] * height >= size) { buffer->attributes.stride[i] * height > size) {
wl_resource_post_error(params_resource, wl_resource_post_error(params_resource,
ZWP_LINUX_BUFFER_PARAMS_V1_ERROR_OUT_OF_BOUNDS, ZWP_LINUX_BUFFER_PARAMS_V1_ERROR_OUT_OF_BOUNDS,
"invalid buffer stride or height for plane %d", i); "invalid buffer stride or height for plane %d", i);