On Fri 15 May 2015, Emil Velikov wrote:
> On 12/05/15 22:54, Marek Olšák wrote:
> > From: Marek Olšák <marek.ol...@amd.com>
> >
> > ---
> > src/egl/main/eglapi.c | 38 ++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 38 insertions(+)
> >
> > diff --git a/src/egl/main/eglapi.c b/src/egl/main/eglapi.c
> > index 6457798..34a113b 100644
> > --- a/src/egl/main/eglapi.c
> > +++ b/src/egl/main/eglapi.c
> > @@ -251,6 +251,30 @@ _eglUnlockDisplay(_EGLDisplay *dpy)
> > }
> >
> >
> > +static EGLint *
> > +_eglConvertAttribsToInt(const EGLAttrib *attr_list)
> > +{
> > + EGLint *int_attribs = NULL;
> > +
> > + /* Convert attributes from EGLAttrib[] to EGLint[] */
> > + if (attr_list) {
> > + int i, size = 0;
> > +
> > + while (attr_list[size] != EGL_NONE)
> > + size += 2;
> > +
> > + if (size) {
> > + size += 1; /* add space for EGL_NONE */
> > + int_attribs = malloc(size * sizeof(int_attribs[0]));
> > +
> > + for (i = 0; i < size; i++)
> > + int_attribs[i] = attr_list[i];
> In the unlikely event that malloc fails, it'll be nice to not crash.
NAK.
There is a stack overflow vulnerability here, even when malloc succeeds.
An attacker can pass a very large but valid `EGLint *attrib_list` into
an EGL entry point, forcing the size calculation given to malloc to
overflow to a small positive integer. Then _eglConvertAttribsToInt will
blithely copy a portion (perhaps most) of the attacker's attrib list onto
the stack!
To prevent the stack overflow, _eglConvertAttribsToInt should use
calloc() and abort if allocation fails.
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
