vkr: fix two more cases of NULL dereferences
These are marked noautovalidity="true" in vk.xml and the decoder does
not validate them. There are more incidents, but for the others, we
will let VVL do its job. Reported by Yiwei.
Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org>
Reviewed-by: Ryan Neph <ryanneph@google.com>
diff --git a/src/venus/vkr_command_buffer.c b/src/venus/vkr_command_buffer.c
index f215d65..8ea426b 100644
--- a/src/venus/vkr_command_buffer.c
+++ b/src/venus/vkr_command_buffer.c
@@ -77,6 +77,12 @@
struct vkr_context *ctx = dispatch->data;
struct list_head free_list;
+ /* args->pCommandBuffers is marked noautovalidity="true" */
+ if (args->commandBufferCount && !args->pCommandBuffers) {
+ vkr_cs_decoder_set_fatal(&ctx->decoder);
+ return;
+ }
+
vkr_command_buffer_destroy_driver_handles(ctx, args, &free_list);
vkr_context_remove_objects(ctx, &free_list);
}
diff --git a/src/venus/vkr_descriptor_set.c b/src/venus/vkr_descriptor_set.c
index 2675add..8580466 100644
--- a/src/venus/vkr_descriptor_set.c
+++ b/src/venus/vkr_descriptor_set.c
@@ -108,6 +108,12 @@
struct vkr_context *ctx = dispatch->data;
struct list_head free_list;
+ /* args->pDescriptorSets is marked noautovalidity="true" */
+ if (args->descriptorSetCount && !args->pDescriptorSets) {
+ vkr_cs_decoder_set_fatal(&ctx->decoder);
+ return;
+ }
+
vkr_descriptor_set_destroy_driver_handles(ctx, args, &free_list);
vkr_context_remove_objects(ctx, &free_list);