In parse_identifier, it doesn't stop copying '*pcur' untill
encounter the NULL. As the 'ret' has a fixed-size buffer, if
the '*pcur' has a long string, there will be a buffer overflow.
This patch avoid this.
Signed-off-by: Li Qiang <liq...@gmail.com>
---
src/gallium/auxiliary/tgsi/tgsi_text.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/gallium/auxiliary/tgsi/tgsi_text.c
b/src/gallium/auxiliary/tgsi/tgsi_text.c
index 1b4f594..073e6bc 100644
--- a/src/gallium/auxiliary/tgsi/tgsi_text.c
+++ b/src/gallium/auxiliary/tgsi/tgsi_text.c
@@ -208,13 +208,13 @@ static boolean parse_int( const char **pcur, int *val )
return FALSE;
}
-static boolean parse_identifier( const char **pcur, char *ret )
+static boolean parse_identifier( const char **pcur, char *ret, size_t len )
{
const char *cur = *pcur;
int i = 0;
if (is_alpha_underscore( cur )) {
ret[i++] = *cur++;
- while (is_alpha_underscore( cur ) || is_digit( cur ))
+ while (i < len - 1 && (is_alpha_underscore( cur ) || is_digit( cur )))
ret[i++] = *cur++;
ret[i++] = '\0';
*pcur = cur;
@@ -1787,7 +1787,7 @@ static boolean parse_property( struct translate_ctx *ctx )
report_error( ctx, "Syntax error" );
return FALSE;
}
- if (!parse_identifier( &ctx->cur, id )) {
+ if (!parse_identifier( &ctx->cur, id, sizeof(id) )) {
report_error( ctx, "Syntax error" );
return FALSE;
}
--
2.7.4
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev
