Created attachment 140049 [details] [review] Fix out of bounds array access in FindProcIndex When name passed to FindProcIndex() is not present in array __EGL_DISPATCH_FUNC_NAMES, "last" can become -1. But since it is declared as unsigned "while (first <= last)" check will get pass and _EGL_DISPATCH_FUNC_NAMES[] will be accessed out of the bounds. When application try to look egl* API using eglGetProcAddress(), glvnd will try to set dispatch index by calling __eglSetDispatchIndex()for each vendor. When mesa's __eglSetDispatchIndex() is called and if egl API is not present in __EGL_DISPATCH_FUNC_NAMES, application will crash.
I think this bug can be closed once patch in https://lists.freedesktop.org/archives/mesa-dev/2018-June/196937.html gets submitted.
pushed: commit 41642bdbca007035772fbfdc311f14daa5510d5d Author: Kyle Brenneman <kbrenneman@nvidia.com> Date: Wed Jun 6 09:08:47 2018 -0600 egl/glvnd: Fix a segfault in eglGetProcAddress. If FindProcIndex in egldispatchstubs.c is called with a name that's less than the first entry in the array, it would end up trying to store an index of -1 in an unsigned integer, wrap around to 2^32, and then crash when it tries to look that up. Change FindProcIndex so that it uses bsearch(3) instead of implementing its own binary search, like the GLX equivalent FindGLXFunction does. Reviewed-by: Eric Engestrom <eric.engestrom@intel.com>
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.