From ce18d3d8977d650cd8429f465f9448ad37e6975a Mon Sep 17 00:00:00 2001 From: Patrick Lerda Date: Thu, 25 May 2023 16:20:09 +0200 Subject: [PATCH] mesa/st: fix buffer overflow related to set_program_string() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For instance, this is triggered with "piglit/bin/ext_direct_state_access-named-program -auto -fbo": ==5695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000050031 at pc 0x7f78dfca8d46 bp 0x7ffd9043b4a0 sp 0x7ffd9043ac50 READ of size 50 at 0x606000050031 thread T0 #0 0x7f78dfca8d45 (/usr/lib64/libasan.so.6+0x3fd45) #1 0x7f78d450b18f in set_program_string ../src/mesa/main/arbprogram.c:385 #2 0x7f78d3fdbd3e in execute_list ../src/mesa/main/dlist.c:13025 #3 0x7f78d40c2564 in _mesa_CallList ../src/mesa/main/dlist.c:13451 #4 0x7f78d42f380a in _mesa_unmarshal_CallList ../src/mesa/main/glthread_list.c:43 #5 0x7f78d38e85c5 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:122 #6 0x7f78d38ea20d in _mesa_glthread_finish ../src/mesa/main/glthread.c:382 #7 0x7f78d38ea20d in _mesa_glthread_finish ../src/mesa/main/glthread.c:347 #8 0x7f78d3d73f69 in _mesa_marshal_IsProgramARB src/mapi/glapi/gen/marshal_generated2.c:4256 Fixes: 0b196b40a3ae ("mesa: don't compute the same SHA1 twice in glShaderSource") Signed-off-by: Patrick Lerda Reviewed-by: Marek Olšák Part-of: (cherry picked from commit 44b960a6453ec78d3cbb6624e6daaf8345d99dc4) --- .pick_status.json | 2 +- src/mesa/main/arbprogram.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index ba580c49a8a9..c06ad081c796 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -184,7 +184,7 @@ "description": "mesa/st: fix buffer overflow related to set_program_string()", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "0b196b40a3ae88b822fc1ec98b3461469c7dec98" }, diff --git a/src/mesa/main/arbprogram.c b/src/mesa/main/arbprogram.c index fbfd4a0385fe..3911e55217c3 100644 --- a/src/mesa/main/arbprogram.c +++ b/src/mesa/main/arbprogram.c @@ -382,7 +382,7 @@ set_program_string(struct gl_program *prog, GLenum target, GLenum format, GLsize gl_shader_stage stage = _mesa_program_enum_to_shader_stage(target); uint8_t sha1[SHA1_DIGEST_LENGTH]; - _mesa_sha1_compute(string, strlen(string), sha1); + _mesa_sha1_compute(string, len, sha1); /* Dump original shader source to MESA_SHADER_DUMP_PATH and replace * if corresponding entry found from MESA_SHADER_READ_PATH.