From 3af72354feef361980d0fb028e29d66f5525d8e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20=C5=9Alusarz?= Date: Fri, 24 Jul 2020 19:19:07 +0200 Subject: [PATCH] mesa: fix out of bounds access in glGetFramebufferParameterivEXT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ColorDrawBuffer is an array of MAX_DRAW_BUFFERS == 8. Found by Coverity. Signed-off-by: Marcin Ślusarz Fixes: 7534c536ca0 ("mesa: add EXT_dsa (Named)Framebuffer functions") Reviewed-by: Marek Olšák Part-of: (cherry picked from commit 0906d5d504eb0209556787b020a6df58b4cc3069) --- .pick_status.json | 2 +- src/mesa/main/fbobject.c | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index 1eb7605ff8b..9ecf25f2131 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -1786,7 +1786,7 @@ "description": "mesa: fix out of bounds access in glGetFramebufferParameterivEXT", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "master_sha": null, "because_sha": "7534c536ca0f4b2b123200f421460094034f37a3" }, diff --git a/src/mesa/main/fbobject.c b/src/mesa/main/fbobject.c index 298a6b35d0a..e43d07b2b8c 100644 --- a/src/mesa/main/fbobject.c +++ b/src/mesa/main/fbobject.c @@ -4814,7 +4814,11 @@ _mesa_GetFramebufferParameterivEXT(GLuint framebuffer, GLenum pname, *param = fb->ColorReadBuffer; } else if (GL_DRAW_BUFFER0 <= pname && pname <= GL_DRAW_BUFFER15) { - *param = fb->ColorDrawBuffer[pname - GL_DRAW_BUFFER0]; + unsigned buffer = pname - GL_DRAW_BUFFER0; + if (buffer < ARRAY_SIZE(fb->ColorDrawBuffer)) + *param = fb->ColorDrawBuffer[buffer]; + else + _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)"); } else { _mesa_error(ctx, GL_INVALID_ENUM, "glGetFramebufferParameterivEXT(pname)");