diff options
| author | Charles Giessen <charles@lunarg.com> | 2023-05-26 17:58:18 -0600 |
|---|---|---|
| committer | Charles Giessen <46324611+charles-lunarg@users.noreply.github.com> | 2023-05-29 21:31:01 -0600 |
| commit | 845f0fc359ec64f33b591aa8bf29c76c7d09f07c (patch) | |
| tree | dc19f61d30bbeb75c6f067c507c3101be4542322 | |
| parent | a25449cc6b58a3aa09fcf2c2d7fd4bfa15a32602 (diff) | |
| download | usermoji-845f0fc359ec64f33b591aa8bf29c76c7d09f07c.tar.xz | |
icd: Fix OOB writes in QueuePerfCounters
vkEnumeratePhysicalDeviceQueueFamilyPerformanceQueryCountersKHR was blindly
writing to the pCounters buffer without first checking that the pCounterCount
contained enough space for the data. Now Mock ICD will return VK_INCOMPLETE
if not enough space is available as well as write as many elements as there
is space for.
| -rw-r--r-- | icd/generated/mock_icd.cpp | 10 | ||||
| -rw-r--r-- | scripts/mock_icd_generator.py | 10 |
2 files changed, 20 insertions, 0 deletions
diff --git a/icd/generated/mock_icd.cpp b/icd/generated/mock_icd.cpp index ea8e4096..7f6817c5 100644 --- a/icd/generated/mock_icd.cpp +++ b/icd/generated/mock_icd.cpp @@ -3551,19 +3551,29 @@ static VKAPI_ATTR VkResult VKAPI_CALL EnumeratePhysicalDeviceQueueFamilyPerforma if (!pCounters) { *pCounterCount = 3; } else { + if (*pCounterCount == 0){ + return VK_INCOMPLETE; + } // arbitrary pCounters[0].unit = VK_PERFORMANCE_COUNTER_UNIT_GENERIC_KHR; pCounters[0].scope = VK_QUERY_SCOPE_COMMAND_BUFFER_KHR; pCounters[0].storage = VK_PERFORMANCE_COUNTER_STORAGE_INT32_KHR; pCounters[0].uuid[0] = 0x01; + if (*pCounterCount == 1){ + return VK_INCOMPLETE; + } pCounters[1].unit = VK_PERFORMANCE_COUNTER_UNIT_GENERIC_KHR; pCounters[1].scope = VK_QUERY_SCOPE_RENDER_PASS_KHR; pCounters[1].storage = VK_PERFORMANCE_COUNTER_STORAGE_INT32_KHR; pCounters[1].uuid[0] = 0x02; + if (*pCounterCount == 2){ + return VK_INCOMPLETE; + } pCounters[2].unit = VK_PERFORMANCE_COUNTER_UNIT_GENERIC_KHR; pCounters[2].scope = VK_QUERY_SCOPE_COMMAND_KHR; pCounters[2].storage = VK_PERFORMANCE_COUNTER_STORAGE_INT32_KHR; pCounters[2].uuid[0] = 0x03; + *pCounterCount = 3; } return VK_SUCCESS; } diff --git a/scripts/mock_icd_generator.py b/scripts/mock_icd_generator.py index c67d17b5..fdf74969 100644 --- a/scripts/mock_icd_generator.py +++ b/scripts/mock_icd_generator.py @@ -1236,19 +1236,29 @@ CUSTOM_C_INTERCEPTS = { if (!pCounters) { *pCounterCount = 3; } else { + if (*pCounterCount == 0){ + return VK_INCOMPLETE; + } // arbitrary pCounters[0].unit = VK_PERFORMANCE_COUNTER_UNIT_GENERIC_KHR; pCounters[0].scope = VK_QUERY_SCOPE_COMMAND_BUFFER_KHR; pCounters[0].storage = VK_PERFORMANCE_COUNTER_STORAGE_INT32_KHR; pCounters[0].uuid[0] = 0x01; + if (*pCounterCount == 1){ + return VK_INCOMPLETE; + } pCounters[1].unit = VK_PERFORMANCE_COUNTER_UNIT_GENERIC_KHR; pCounters[1].scope = VK_QUERY_SCOPE_RENDER_PASS_KHR; pCounters[1].storage = VK_PERFORMANCE_COUNTER_STORAGE_INT32_KHR; pCounters[1].uuid[0] = 0x02; + if (*pCounterCount == 2){ + return VK_INCOMPLETE; + } pCounters[2].unit = VK_PERFORMANCE_COUNTER_UNIT_GENERIC_KHR; pCounters[2].scope = VK_QUERY_SCOPE_COMMAND_KHR; pCounters[2].storage = VK_PERFORMANCE_COUNTER_STORAGE_INT32_KHR; pCounters[2].uuid[0] = 0x03; + *pCounterCount = 3; } return VK_SUCCESS; ''', |