egl/dri: Avoid out of bounds array access

indexConfigAttrib iterates over every index in the dri driver, possibly exceeding __DRI_ATTRIB_MAX. In other words, if the dri driver has newer attributes libEGL will end up reading from uninitialized memory through dri2_to_egl_attribute_map[]. Signed-off-by: Kevin Strasser <[email protected]> Cc: [email protected] Reviewed-by: Emil Velikov <[email protected]>
author: Kevin Strasser <[email protected]> 2019-01-28 10:42:44 -0800
committer: Emil Velikov <[email protected]> 2019-03-13 18:28:53 +0000
commit: 70b36c0ef939048acb9c4727b2e4280fc090eb74 (patch)
tree: acf771a21a0b15d9d6b8648a1a185a5b6f919850
parent: 97ad0efba08d336813366b9cab114c94c2ca61db (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/egl/drivers/dri2/egl_dri2.c b/src/egl/drivers/dri2/egl_dri2.c
index 9c9b753fafe..6acc99aa62a 100644
--- a/src/egl/drivers/dri2/egl_dri2.c
+++ b/src/egl/drivers/dri2/egl_dri2.c
@@ -213,8 +213,10 @@ dri2_add_config(_EGLDisplay *disp, const __DRIconfig *dri_config, int id,
    bind_to_texture_rgb = 0;
    bind_to_texture_rgba = 0;
 
-   for (int i = 0; dri2_dpy->core->indexConfigAttrib(dri_config, i, &attrib,
-                                                     &value); ++i) {
+   for (int i = 0; i < __DRI_ATTRIB_MAX; ++i) {
+      if (!dri2_dpy->core->indexConfigAttrib(dri_config, i, &attrib, &value))
+         break;
+
       switch (attrib) {
       case __DRI_ATTRIB_RENDER_TYPE:
          if (value & __DRI_ATTRIB_RGBA_BIT)
author	Kevin Strasser <[email protected]>	2019-01-28 10:42:44 -0800
committer	Emil Velikov <[email protected]>	2019-03-13 18:28:53 +0000
commit	70b36c0ef939048acb9c4727b2e4280fc090eb74 (patch)
tree	acf771a21a0b15d9d6b8648a1a185a5b6f919850
parent	97ad0efba08d336813366b9cab114c94c2ca61db (diff)