Changeset 76787 in vbox

Timestamp:

Jan 11, 2019 8:00:15 PM (6 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

128124

Message:

3D: Parameters validation corrected, bugref:9327

Location:

trunk/src/VBox

Files:

• GuestHost/OpenGL/include/cr_unpack.h (modified) (1 diff)
• HostServices/SharedOpenGL/crserver/crservice.cpp (modified) (1 diff)
• HostServices/SharedOpenGL/crserverlib/server_bufferobject.c (modified) (2 diffs)
• HostServices/SharedOpenGL/crserverlib/server_framebuffer.c (modified) (2 diffs)
• HostServices/SharedOpenGL/crserverlib/server_gentextures.c (modified) (6 diffs)
• HostServices/SharedOpenGL/crserverlib/server_getshaders.c (modified) (10 diffs)
• HostServices/SharedOpenGL/crserverlib/server_glsl.c (modified) (2 diffs)
• HostServices/SharedOpenGL/crserverlib/server_lists.c (modified) (1 diff)
• HostServices/SharedOpenGL/crserverlib/server_occlude.c (modified) (1 diff)
• HostServices/SharedOpenGL/crserverlib/server_readpixels.c (modified) (1 diff)
• HostServices/SharedOpenGL/crserverlib/server_texture.c (modified) (5 diffs)
• HostServices/SharedOpenGL/dlm/dlm_lists.c (modified) (1 diff)
• HostServices/SharedOpenGL/unpacker/unpack_map.c (modified) (4 diffs)
• HostServices/SharedOpenGL/unpacker/unpack_program.c (modified) (5 diffs)
• HostServices/SharedOpenGL/unpacker/unpack_shaders.c (modified) (3 diffs)
• HostServices/SharedOpenGL/unpacker/unpack_texture.c (modified) (1 diff)
• HostServices/SharedOpenGL/unpacker/unpack_visibleregion.c (modified) (1 diff)

trunk/src/VBox/GuestHost/OpenGL/include/cr_unpack.h

@@ -70 +70 @@
 
 #define DATA_POINTER_CHECK( offset ) \
-    ( (offset) >= 0 && (cr_unpackDataEnd >= cr_unpackData) && (size_t)(cr_unpackDataEnd - cr_unpackData) > (size_t)(offset) )
+    ( (cr_unpackDataEnd >= cr_unpackData) && (size_t)(cr_unpackDataEnd - cr_unpackData) >= (size_t)(offset) )
 
 #define INCR_DATA_PTR( delta ) \

trunk/src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp

@@ -367 +367 @@
         if (pBuffer)
         {
-            pBuffer->pData = RTMemAlloc(cbBufferSize);
+            /* Filling host buffer with zeroes to prevent possible host->guest memory disclosure */
+            pBuffer->pData = RTMemAllocZ(cbBufferSize);
             if (!pBuffer->pData)
             {

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_bufferobject.c

@@ -29 +29 @@
     (void) buffers;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchGenBuffersARB: parameter 'n' is out of range");
@@ -68 +68 @@
     void *b;
 
+    if (size <= 0 || size >= INT32_MAX / 2)
+    {
+        crError("crServerDispatchGetBufferSubDataARB: size is out of range");
+        return;
+    }
+
     b = crCalloc(size);
+
     if (b) {
         cr_server.head_spu->dispatch_table.GetBufferSubDataARB( target, offset, size, b );

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_framebuffer.c

@@ -29 +29 @@
     (void) framebuffers;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchGenFramebuffersEXT: parameter 'n' is out of range");
@@ -49 +49 @@
     (void) renderbuffers;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchGenRenderbuffersEXT: parameter 'n' is out of range");

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_gentextures.c

@@ -17 +17 @@
     (void) textures;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchGenTextures: parameter 'n' is out of range");
@@ -42 +42 @@
     (void) ids;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchGenProgramsNV: parameter 'n' is out of range");
@@ -67 +67 @@
     (void) ids;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchGenFencesNV: parameter 'n' is out of range");
@@ -88 +88 @@
 void SERVER_DISPATCH_APIENTRY crServerDispatchGenProgramsARB( GLsizei n, GLuint * ids )
 {
-    GLuint *local_progs = (GLuint *) crAlloc( n*sizeof( *local_progs) );
+    GLuint *local_progs;
     GLsizei i;
     (void) ids;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchGenProgramsARB: parameter 'n' is out of range");
@@ -102 +102 @@
     if (!local_progs)
     {
-        crError("crServerDispatchGenProgramsARB: out of memory");
+        crError("crServerDispatchGenProgramsARB: out of money");
         return;
     }
@@ -120 +120 @@
     }
 
-    crServerReturnValue( local_progs, n*sizeof( *local_progs ) );
+    crServerReturnValue( local_progs, n * sizeof( *local_progs ) );
     crFree( local_progs );
 }

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_getshaders.c

@@ -39 +39 @@
     crGetActive_t *pLocal = NULL;
 
-    if (bufSize < INT32_MAX / 2)
+    if (bufSize > 0 && bufSize < INT32_MAX / 2)
         pLocal = (crGetActive_t*)crCalloc(bufSize + sizeof(crGetActive_t));
 
@@ -59 +59 @@
     crGetActive_t *pLocal = NULL;
 
-    if (bufSize < INT32_MAX / 2)
+    if (bufSize > 0 && bufSize < INT32_MAX / 2)
         pLocal = (crGetActive_t*) crCalloc(bufSize + sizeof(crGetActive_t));
 
@@ -79 +79 @@
     GLsizei *pLocal = NULL;
 
-    if (maxCount < INT32_MAX / sizeof(GLuint) / 2)
+    if (maxCount > 0 && maxCount < INT32_MAX / sizeof(GLuint) / 2)
         pLocal = (GLsizei*) crCalloc(maxCount * sizeof(GLuint) + sizeof(GLsizei));
 
@@ -108 +108 @@
     GLsizei *pLocal = NULL;
 
-    if (maxCount < INT32_MAX / sizeof(VBoxGLhandleARB) / 2)
+    if (maxCount > 0 && maxCount < INT32_MAX / sizeof(VBoxGLhandleARB) / 2)
         pLocal = (GLsizei*) crCalloc(maxCount * sizeof(VBoxGLhandleARB) + sizeof(GLsizei));
 
@@ -140 +140 @@
     GLuint hwid;
 
-    if (maxLength < INT32_MAX / 2)
+    if (maxLength > 0 && maxLength < INT32_MAX / 2)
         pLocal = (GLsizei*) crCalloc(maxLength + sizeof(GLsizei));
 
@@ -164 +164 @@
     GLsizei *pLocal = NULL;
 
-    if (bufSize < INT32_MAX / 2)
+    if (bufSize > 0 && bufSize < INT32_MAX / 2)
         pLocal = (GLsizei*) crCalloc(bufSize + sizeof(GLsizei));
 
@@ -184 +184 @@
     GLsizei *pLocal = NULL;
 
-    if (bufSize < INT32_MAX / 2)
+    if (bufSize > 0 && bufSize < INT32_MAX / 2)
         pLocal = (GLsizei*) crCalloc(bufSize + sizeof(GLsizei));
 
@@ -205 +205 @@
     GLsizei *pLocal = NULL;
 
-    if (bufSize < INT32_MAX / 2)
+    if (bufSize > 0 && bufSize < INT32_MAX / 2)
         pLocal = (GLsizei*) crCalloc(bufSize + sizeof(GLsizei));
 
@@ -230 +230 @@
     (void) pData;
 
-    if (maxcbData < INT32_MAX / 2)
+    if (maxcbData > 0 && maxcbData < INT32_MAX / 2)
         pLocal = (GLsizei*) crCalloc(maxcbData + sizeof(GLsizei));
 
@@ -256 +256 @@
     (void) pData;
 
-    if (maxcbData < INT32_MAX / 2)
+    if (maxcbData > 0 && maxcbData < INT32_MAX / 2)
         pLocal = (GLsizei*) crCalloc(maxcbData + sizeof(GLsizei));
 

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_glsl.c

@@ -182 +182 @@
     GLint i;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchDeleteProgramsARB: parameter 'n' is out of range");
@@ -223 +223 @@
     (void) residences;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchAreProgramsResidentNV: parameter 'n' is out of range");

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_lists.c

@@ -230 +230 @@
 crServerDispatchCallLists( GLsizei n, GLenum type, const GLvoid *lists )
 {
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchCallLists: parameter 'n' is out of range");

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_occlude.c

@@ -17 +17 @@
     (void) queries;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchGenQueriesARB: parameter 'n' is out of range");

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_readpixels.c

@@ -49 +49 @@
         uint32_t msg_len;
 
-        if (bytes_per_row < 0 || bytes_per_row > UINT32_MAX / 8 || height > UINT32_MAX / 8)
+        if (bytes_per_row <= 0 || height <= 0 || bytes_per_row > INT32_MAX / height)
         {
             crError("crServerDispatchReadPixels: parameters out of range");

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c

@@ -169 +169 @@
 void SERVER_DISPATCH_APIENTRY crServerDispatchGetTexEnvfv( GLenum target, GLenum pname, GLfloat * params )
 {
-    GLfloat local_params[4];
+    GLfloat local_params[4] = {0};
     (void) params;
     if (GL_POINT_SPRITE != target && pname != GL_COORD_REPLACE)
@@ -181 +181 @@
 void SERVER_DISPATCH_APIENTRY crServerDispatchGetTexEnviv( GLenum target, GLenum pname, GLint * params )
 {
-    GLint local_params[4];
+    GLint local_params[4] = {0};
     (void) params;
     if (GL_POINT_SPRITE != target && pname != GL_COORD_REPLACE)
@@ -203 +203 @@
     GLint i;
 
-    if (n >= UINT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchDeleteTextures: parameter 'n' is out of range");
@@ -239 +239 @@
     GLint i;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchPrioritizeTextures: parameter 'n' is out of range");
@@ -285 +285 @@
     (void) residences;
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crServerDispatchAreTexturesResident: parameter 'n' is out of range");

trunk/src/VBox/HostServices/SharedOpenGL/dlm/dlm_lists.c

@@ -354 +354 @@
     crDebug("DLM: CallLists(%d, %u, %p).", n, type, lists);
 
-    if (n >= INT32_MAX / sizeof(GLuint))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint))
     {
         crError("crDLMCallLists: parameter 'n' is out of range");

trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_map.c

@@ -35 +35 @@
 
     cbMax = (ustride * uorder + vstride * vorder) * sizeof(double);
-    if (!DATA_POINTER_CHECK(cbMax - 1))
+    if (!DATA_POINTER_CHECK(cbMax))
     {
         crError("crUnpackMap2d: parameters out of range");
@@ -70 +70 @@
 
     cbMax = (ustride * uorder + vstride * vorder) * sizeof(float);
-    if (!DATA_POINTER_CHECK(cbMax - 1))
+    if (!DATA_POINTER_CHECK(cbMax))
     {
         crError("crUnpackMap2f: parameters out of range");
@@ -99 +99 @@
 
     cbMax = stride * order * sizeof(double);
-    if (!DATA_POINTER_CHECK(cbMax - 1))
+    if (!DATA_POINTER_CHECK(cbMax))
     {
         crError("crUnpackMap1d: parameters out of range");
@@ -128 +128 @@
 
     cbMax = stride * order * sizeof(float);
-    if (!DATA_POINTER_CHECK(cbMax - 1))
+    if (!DATA_POINTER_CHECK(cbMax))
     {
         crError("crUnpackMap1f: parameters out of range");

trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_program.c

@@ -45 +45 @@
     GLdouble *params;
 
-    if (num >= UINT32_MAX / (4 * sizeof(GLdouble)))
+    if (num <= 0 || num >= INT32_MAX / (4 * sizeof(GLdouble)))
     {
         crError("crUnpackExtendProgramParameters4dvNV: parameter 'num' is out of range");
@@ -71 +71 @@
     GLfloat *params;
 
-    if (num >= UINT32_MAX / (4 * sizeof(GLfloat)))
+    if (num <= 0 || num >= INT32_MAX / (4 * sizeof(GLfloat)))
     {
         crError("crUnpackExtendProgramParameters4fvNV: parameter 'num' is out of range");
@@ -95 +95 @@
     const GLuint *programs = DATA_POINTER(12, const GLuint);
 
-    if (n > UINT32_MAX / sizeof(GLuint) / 4 || !DATA_POINTER_CHECK(20 + n * sizeof(GLuint)))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint) / 4 || !DATA_POINTER_CHECK(20 + n * sizeof(GLuint)))
     {
         crError("crUnpackExtendAreProgramsResidentNV: %d is out of range", n);
@@ -226 +226 @@
     const GLubyte *name = DATA_POINTER(16, GLubyte);
 
-    if (len > UINT32_MAX / 4 || !DATA_POINTER_CHECK(16 + len + 8))
+    if (len <= 0 || len >= INT32_MAX / 4 || !DATA_POINTER_CHECK(16 + len + 8))
     {
         crError("crUnpackExtendGetProgramNamedParameterdvNV: len %d is out of range", len);
@@ -243 +243 @@
     const GLubyte *name = DATA_POINTER(16, GLubyte);
 
-    if (len > UINT32_MAX / 4 || !DATA_POINTER_CHECK(16 + len + 8))
+    if (len <= 0 || len >= INT32_MAX / 4 || !DATA_POINTER_CHECK(16 + len + 8))
     {
         crError("crUnpackExtendGetProgramNamedParameterfvNV: len %d is out of range", len);

trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_shaders.c

@@ -43 +43 @@
     int pos, pos_check;
 
-    if (count >= UINT32_MAX / sizeof(char *) / 4)
+    if (count <= 0 || count >= INT32_MAX / sizeof(char *) / 4)
     {
         crError("crUnpackExtendShaderSource: count %u is out of range", count);
@@ -339 +339 @@
     GLuint program = READ_DATA(8, GLuint);
     const char *name = DATA_POINTER(12, const char);
+
+    if (!DATA_POINTER_CHECK(packet_length))
+    {
+        crError("crUnpackExtendGetAttribLocation: packet_length is out of range");
+        return;
+    }
+
     SET_RETURN_PTR(packet_length-16);
     SET_WRITEBACK_PTR(packet_length-8);
@@ -349 +356 @@
     GLuint program = READ_DATA(8, GLuint);
     const char *name = DATA_POINTER(12, const char);
+
+    if (!DATA_POINTER_CHECK(packet_length))
+    {
+        crError("crUnpackExtendGetUniformLocation: packet_length is out of range");
+        return;
+    }
+
     SET_RETURN_PTR(packet_length-16);
     SET_WRITEBACK_PTR(packet_length-8);

trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_texture.c

@@ -328 +328 @@
     const GLuint *textures = DATA_POINTER( 12, const GLuint );
 
-    if (n > UINT32_MAX / sizeof(GLuint) / 4 || !DATA_POINTER_CHECK(20 + n * sizeof(GLuint)))
+    if (n <= 0 || n >= INT32_MAX / sizeof(GLuint) / 4 || !DATA_POINTER_CHECK(20 + n * sizeof(GLuint)))
     {
         crError("crUnpackExtendAreTexturesResident: %d is out of range", n);

trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_visibleregion.c

@@ -26 +26 @@
     GLint window = READ_DATA( 8, GLint );
     GLint cRects = READ_DATA( 12, GLint );
-    GLvoid *pRects = DATA_POINTER( 16, GLvoid );;
+    GLvoid *pRects = DATA_POINTER( 16, GLvoid );
+
+    if (cRects <= 0 || cRects >= INT32_MAX / sizeof(GLint) / 8 || !DATA_POINTER_CHECK(16 + 4 * cRects * sizeof(GLint)))
+    {
+        crError("crUnpackExtendWindowVisibleRegion: parameter 'cRects' is out of range");
+        return;
+    }
+
     cr_unpackDispatch.WindowVisibleRegion( window, cRects, pRects );
 }