From fd2e32a4afe7266660d5e98e3fe6513f8da0a4bc Mon Sep 17 00:00:00 2001
From: yezengruan <yezengruan@huawei.com>
Date: Sat, 27 Aug 2022 17:47:38 +0800
Subject: [PATCH] vrend: Add test to resource OOB write and fix it
 (CVE-2022-0135)

(cherry picked from commit a162182b68f6b5596d19a76e4c54857ac09cb909)
---
 backport-CVE-2022-0135.patch | 33 +++++++++++++++++++++++++++++++++
 virglrenderer.spec           |  6 +++++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-0135.patch

diff --git a/backport-CVE-2022-0135.patch b/backport-CVE-2022-0135.patch
new file mode 100644
index 0000000..72ee1b3
--- /dev/null
+++ b/backport-CVE-2022-0135.patch
@@ -0,0 +1,33 @@
+From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 10:17:26 +0100
+Subject: [PATCH] vrend: Add test to resource OOB write and fix it
+
+v2: Also check that no depth != 1 has been send when none is due
+
+Closes: #250
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+---
+ src/vrend_renderer.c        |  3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 28f6697..357b81b 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
++          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
++      else if (need_temp && info->box->depth != 1)
++         return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+-- 
+2.27.0
+
diff --git a/virglrenderer.spec b/virglrenderer.spec
index 869e736..31672fa 100644
--- a/virglrenderer.spec
+++ b/virglrenderer.spec
@@ -1,6 +1,6 @@
 Name:		virglrenderer
 Version:	0.7.0
-Release:	4
+Release:	5
 Summary:	VirGL virtual OpenGL renderer
 License:	MIT
 URL: https://virgil3d.github.io
@@ -15,6 +15,7 @@ Patch4:  backport-CVE-2019-18388.patch
 Patch5:  backport-CVE-2020-8002.patch
 Patch6:  backport-CVE-2020-8003.patch
 Patch7:  backport-CVE-2022-0175.patch
+Patch8:  backport-CVE-2022-0135.patch
 
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -69,6 +70,9 @@ rm -rf %{buildroot}%{_bindir}/virgl_test_server
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Sat Aug 27 2022 yezengruan <yezengruan@huawei.com> - 0.7.0-5
+- vrend: Add test to resource OOB write and fix it (CVE-2022-0135)
+
 * Wed Jul 06 2022 yezengruan <yezengruan@huawei.com> - 0.7.0-4
 - vrend: clear memory when allocating a host-backed memory resource (CVE-2022-0175)
 
-- 
Gitee