Changeset 78076 in vbox for trunk/src/VBox/HostServices/SharedOpenGL

Timestamp:

Apr 10, 2019 11:20:02 AM (6 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

129932

Message:

GuestHost/OpenGL,HostServices/SharedOpenGL: Fixed parameter validation, bugref:9433

Location:

trunk/src/VBox/HostServices/SharedOpenGL

Files:

• crserverlib/server_get.py (modified) (2 diffs)
• crserverlib/server_texture.c (modified) (2 diffs)
• unpacker/unpack.py (modified) (3 diffs)

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_get.py

@@ -127 +127 @@
         local_argname = 'local_%s' % lastParam[0]
 
-        print('\t%s %s[%d];' % ( local_argtype, local_argname, max_components[func_name] ))
+        print('\t%s %s[%d] = { 0 };' % ( local_argtype, local_argname, max_components[func_name] ))
         print('\t(void) %s;' % lastParam[0])
 
@@ -142 +142 @@
             print('\tcrServerReturnValue(&(%s[0]), %d*sizeof(%s));' % (local_argname, max_components[func_name], local_argtype ))
         else:
-            print('\tcrServerReturnValue(&(%s[0]), crStateHlpComponentsCount(pname)*sizeof(%s));' % (local_argname, local_argtype ))
+            print('\tunsigned int cComponents = RT_MIN(crStateHlpComponentsCount(pname), RT_ELEMENTS(%s));' % local_argname)
+            print('\tcrServerReturnValue(&(%s[0]), cComponents*sizeof(%s));' % (local_argname, local_argtype ))
         print ('}\n')

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_texture.c

@@ -176 +176 @@
         crStateGetTexEnvfv( target, pname, local_params );
 
-    crServerReturnValue( &(local_params[0]), crStateHlpComponentsCount(pname)*sizeof (GLfloat) );
+    size_t cComponents = RT_MIN(crStateHlpComponentsCount(pname), RT_ELEMENTS(local_params));
+    crServerReturnValue( &(local_params[0]), cComponents*sizeof (GLfloat) );
 }
 
@@ -188 +189 @@
         crStateGetTexEnviv( target, pname, local_params );
 
-    crServerReturnValue( &(local_params[0]), crStateHlpComponentsCount(pname)*sizeof (GLint) );
+    size_t cComponents = RT_MIN(crStateHlpComponentsCount(pname), RT_ELEMENTS(local_params));
+    crServerReturnValue( &(local_params[0]), cComponents*sizeof (GLint) );
 }
 

trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack.py

@@ -170 +170 @@
     print("{")
 
+    # Verify that the provided buffer length is what we expect.
+    packet_length = apiutil.PacketLength( params )
+    print("\tif(!DATA_POINTER_CHECK(%d))" % packet_length);
+    print("\t{");
+    print("\t\tcrError(\"crUnpack%s: parameters out of range\");" % func_name);
+    print("\t\treturn;");
+    print("\t}");
+
     vector_func = apiutil.VectorFunction(func_name)
     if (vector_func and len(apiutil.Parameters(vector_func)) == 1):
@@ -175 +183 @@
     else:
         MakeNormalCall( return_type, func_name, params )
-    packet_length = apiutil.PacketLength( params )
     if packet_length == 0:
         print("\tINCR_DATA_PTR_NO_ARGS( );")
@@ -330 +337 @@
             print('static void crUnpackExtend%s(void)' % func_name)
             print('{')
+
+            # Verify that the provided buffer length is what we expect.
+            packet_length = apiutil.PacketLength( params )
+            print("\tif(!DATA_POINTER_CHECK(%d))" % packet_length);
+            print("\t{");
+            print("\t\tcrError(\"crUnpack%s: parameters out of range\");" % func_name);
+            print("\t\treturn;");
+            print("\t}");
+
             MakeNormalCall( return_type, func_name, params, 8 )
             print('}\n')