[PATCH 0/1] MR7295: wined3d: Fix a memory write out-of-bounds (Coverity).
ffp_extra_binding is an array of 2. However, "bindings->ffp_extra_binding[shader_type] = binding_idx;" at shader_spirv.c line 748 can write to ffp_extra_binding[5]. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/7295
From: Zhiyi Zhang <zzhang(a)codeweavers.com> ffp_extra_binding is an array of 2. However, "bindings->ffp_extra_binding[shader_type] = binding_idx;" at shader_spirv.c line 748 can write to ffp_extra_binding[5]. --- dlls/wined3d/shader_spirv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dlls/wined3d/shader_spirv.c b/dlls/wined3d/shader_spirv.c index 9a1fd1dd3fc..6256a70d5bc 100644 --- a/dlls/wined3d/shader_spirv.c +++ b/dlls/wined3d/shader_spirv.c @@ -44,7 +44,7 @@ struct shader_spirv_resource_bindings size_t binding_base[WINED3D_SHADER_TYPE_COUNT]; enum wined3d_shader_type so_stage; - uint32_t ffp_extra_binding[2]; + uint32_t ffp_extra_binding[WINED3D_SHADER_TYPE_COUNT]; }; struct shader_spirv_priv -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/7295
This cannot happen; we only write those fields for sm1 shaders, which can only be pixel or vertex. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/7295#note_94164
This cannot happen; we only write those fields for sm1 shaders, which can only be pixel or vertex.
That's true, but it's perhaps also more fragile than it needs to be, since that depends on those being the first two enum elements. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/7295#note_94166
This merge request was closed by Zhiyi Zhang. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/7295
This cannot happen; we only write those fields for sm1 shaders, which can only be pixel or vertex.
That's true, but it's perhaps also more fragile than it needs to be, since that depends on those being the first two enum elements.
Yes, that's true. I'll send a patch to make it less fragile. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/7295#note_94491
participants (4)
-
Elizabeth Figura (@zfigura) -
Henri Verbeet (@hverbeet)
-
Zhiyi Zhang
-
Zhiyi Zhang (@zhiyi)