+-- On Tue, 4 May 2021, Li Qiang wrote --+ | If 'virgl_cmd_get_capset' set 'max_size' to 0, | the 'virgl_renderer_fill_caps' will write the data after the 'resp'. | This patch avoid this by checking the returned 'max_size'. | | Signed-off-by: Li Qiang <[email protected]> | --- | contrib/vhost-user-gpu/virgl.c | 4 ++++ | 1 file changed, 4 insertions(+) | | diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c | index a16a311d80..7172104b19 100644 | --- a/contrib/vhost-user-gpu/virgl.c | +++ b/contrib/vhost-user-gpu/virgl.c | @@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, | | virgl_renderer_get_cap_set(gc.capset_id, &max_ver, | &max_size); | + if (!max_size) { | + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; | + return; | + } | resp = g_malloc0(sizeof(*resp) + max_size); | | resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
* Looks okay. Reviewed-by: Prasad J Pandit <[email protected]> Thank you. -- - P J P 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
