From 29914fb15eb00ce148190e7f37cb92c1a3b8c27c Mon Sep 17 00:00:00 2001
From: Ian Elliott <ianelliott@google.com>
Date: Fri, 1 Sep 2023 15:39:37 -0700
Subject: [PATCH] Vulkan: Avoid buffer overflow by ignoring duplicate
 extensions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For any instance extension that a Vulkan driver supports, if a
VkInstance is created with that extension listed multiple times, the
2nd-nth times should be ignored.  That avoids overwriting an array in
CreateInfoWrapper::FilterExtension().

CRs-Fixed: 3430007
Test: Manual testing with logcat
Bug: 288929054
Change-Id: I096a6752e0f4abef868efdb6f8b4bcbd0c0c79cd
(cherry picked from commit 3b48e15760dbc6999833f1be83b0cf75e2bcf8e3)
Signed-off-by: Simão Gomes Viana <devel@superboring.dev>
---
 vulkan/libvulkan/driver.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/vulkan/libvulkan/driver.cpp b/vulkan/libvulkan/driver.cpp
index 273cdd547e..aea897c84c 100644
--- a/vulkan/libvulkan/driver.cpp
+++ b/vulkan/libvulkan/driver.cpp
@@ -763,6 +763,17 @@ void CreateInfoWrapper::FilterExtension(const char* name) {
             continue;
         }
 
+        // Ignore duplicate extensions (see: b/288929054)
+        bool duplicate_entry = false;
+        for (uint32_t j = 0; j < filter.name_count; j++) {
+            if (strcmp(name, filter.names[j]) == 0) {
+                duplicate_entry = true;
+                break;
+            }
+        }
+        if (duplicate_entry == true)
+            continue;
+
         filter.names[filter.name_count++] = name;
         if (ext_bit != ProcHook::EXTENSION_UNKNOWN) {
             if (ext_bit == ProcHook::ANDROID_native_buffer)
-- 
GitLab