From 24f67de7a9088a873844a39be03cee6882260ac9 Mon Sep 17 00:00:00 2001
From: Gert Wollny <gert.wollny@collabora.com>
Date: Mon, 7 Oct 2019 10:59:56 +0200
Subject: [PATCH] vrend: check info formats in blits

Closes #141
Closes #142

v2 : drop colon in error description (Emil)

Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>

Upstream-Status: Backport 
[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/24f67de7a9088a873844a39be03cee6882260ac9]
CVE: CVE-2019-18390
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
 src/virgl_hw.h       |  1 +
 src/vrend_renderer.c | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/src/virgl_hw.h b/src/virgl_hw.h
index 145780bf..5ccf3073 100644
--- a/src/virgl_hw.h
+++ b/src/virgl_hw.h
@@ -426,6 +426,7 @@ enum virgl_ctx_errors {
         VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER,
         VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS,
         VIRGL_ERROR_GL_ANY_SAMPLES_PASSED,
+        VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
 };
 
 #define VIRGL_RESOURCE_Y_0_TOP (1 << 0)
diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 14fefb38..aa6a89c1 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -758,6 +758,7 @@ static const char *vrend_ctx_error_strings[] = {
    [VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER]    = "Illegal command buffer",
    [VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS] = "On GLES context and shader program has tesselation evaluation shader but no tesselation control shader",
    [VIRGL_ERROR_GL_ANY_SAMPLES_PASSED] = "Query for ANY_SAMPLES_PASSED not supported",
+   [VIRGL_ERROR_CTX_ILLEGAL_FORMAT]        = "Illegal format ID",
 };
 
 static void __report_context_error(const char *fname, struct vrend_context *ctx,
@@ -8492,6 +8493,16 @@ void vrend_renderer_blit(struct vrend_context *ctx,
    if (ctx->in_error)
       return;
 
+   if (!info->src.format || (enum virgl_formats)info->src.format >= VIRGL_FORMAT_MAX) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->src.format);
+      return;
+   }
+
+   if (!info->dst.format || (enum virgl_formats)info->dst.format >= VIRGL_FORMAT_MAX) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->dst.format);
+      return;
+   }
+
    if (info->render_condition_enable == false)
       vrend_pause_render_condition(ctx, true);
 
-- 
2.24.1