From c2dfff280ba7d0857e350581496daa17cccacb84 Mon Sep 17 00:00:00 2001 From: Nicolai Hähnle Date: Wed, 22 Feb 2017 18:06:46 +0100 Subject: mesa: Avoid out-of-bounds stack read via _mesa_Materiali MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MATERIALFV may end up reading up to 4 floats from the passed parameter. This should really set a GL_INVALID_ENUM error in the cases where it matters, but does anybody really care? Found by ASAN in piglit gl-1.0-beginend-coverage. v2: fix a trivial compiler warning Reviewed-by: Marek Olšák (v1) Reviewed-by: Ian Romanick (v1) --- src/mesa/main/api_loopback.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src/mesa') diff --git a/src/mesa/main/api_loopback.c b/src/mesa/main/api_loopback.c index 8b63d9c0e95..59b59d3a9ec 100644 --- a/src/mesa/main/api_loopback.c +++ b/src/mesa/main/api_loopback.c @@ -865,8 +865,9 @@ _mesa_Materialf( GLenum face, GLenum pname, GLfloat param ) void GLAPIENTRY _mesa_Materiali(GLenum face, GLenum pname, GLint param ) { - GLfloat p = (GLfloat) param; - MATERIALFV(face, pname, &p); + GLfloat p[4]; + p[0] = (GLfloat) param; + MATERIALFV(face, pname, p); } void GLAPIENTRY -- cgit v1.2.3