From 2abeb1802e3c005b17a7123e382171b3fb665971 Mon Sep 17 00:00:00 2001
From: Gert Wollny <gert.wollny@collabora.com>
Date: Tue, 8 Oct 2019 17:27:01 +0200
Subject: [PATCH] vrend: check that the transfer iov holds enough data for the
 data upload

Closes #140

Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>

Upstream-Status: Backport 
[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/2abeb1802e3c005b17a7123e382171b3fb665971]
CVE: CVE-2019-18391
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
 src/vrend_renderer.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 694e1d0e..fe23846b 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -7005,15 +7005,22 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
             invert = true;
       }
 
+      send_size = util_format_get_nblocks(res->base.format, info->box->width,
+                                          info->box->height) * elsize;
+      if (res->target == GL_TEXTURE_3D ||
+          res->target == GL_TEXTURE_2D_ARRAY ||
+          res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+          send_size *= info->box->depth;
+
       if (need_temp) {
-         send_size = util_format_get_nblocks(res->base.format, info->box->width,
-                                             info->box->height) * elsize * info->box->depth;
          data = malloc(send_size);
          if (!data)
             return ENOMEM;
          read_transfer_data(iov, num_iovs, data, res->base.format, info->offset,
                             stride, layer_stride, info->box, invert);
       } else {
+         if (send_size > iov[0].iov_len - info->offset)
+            return EINVAL;
          data = (char*)iov[0].iov_base + info->offset;
       }
 
-- 
2.24.1