1 From 4ab40b2b60f4f841f75250e1e60c1624d8212cd4 Mon Sep 17 00:00:00 2001
2 From: Adam Jackson <ajax@redhat.com>
3 Date: Mon, 10 Nov 2014 12:13:47 -0500
4 Subject: [PATCH 31/33] glx: Length checking for non-generated single requests
5 (v2) [CVE-2014-8098 7/8]
8 Fix single versus vendor-private length checking for ARB_imaging subset
9 extensions. (Julien Cristau)
12 Fix single versus vendor-private length checking for ARB_imaging subset
13 extensions. (Julien Cristau)
15 Reviewed-by: Michal Srb <msrb@suse.com>
16 Reviewed-by: Andy Ritger <aritger@nvidia.com>
17 Signed-off-by: Adam Jackson <ajax@redhat.com>
18 Signed-off-by: Julien Cristau <jcristau@debian.org>
19 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
21 glx/indirect_texture_compression.c | 4 ++++
22 glx/single2.c | 23 +++++++++++++++----
23 glx/single2swap.c | 19 ++++++++++++----
24 glx/singlepix.c | 44 ++++++++++++++++++++++++------------
25 glx/singlepixswap.c | 34 ++++++++++++++++++++++++----
26 5 files changed, 95 insertions(+), 29 deletions(-)
28 Index: xorg-server-1.15.1/glx/indirect_texture_compression.c
29 ===================================================================
30 --- xorg-server-1.15.1.orig/glx/indirect_texture_compression.c 2014-12-04 11:56:48.021535287 -0500
31 +++ xorg-server-1.15.1/glx/indirect_texture_compression.c 2014-12-04 11:56:48.017535262 -0500
33 __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
34 ClientPtr client = cl->client;
36 + REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
38 pc += __GLX_SINGLE_HDR_SIZE;
40 const GLenum target = *(GLenum *) (pc + 0);
42 __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
43 ClientPtr client = cl->client;
45 + REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
47 pc += __GLX_SINGLE_HDR_SIZE;
49 const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
50 Index: xorg-server-1.15.1/glx/single2.c
51 ===================================================================
52 --- xorg-server-1.15.1.orig/glx/single2.c 2014-12-04 11:56:48.021535287 -0500
53 +++ xorg-server-1.15.1/glx/single2.c 2014-12-04 11:56:48.017535262 -0500
56 __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
58 + ClientPtr client = cl->client;
64 + REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
66 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
71 __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
73 + ClientPtr client = cl->client;
78 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
80 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
85 __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
88 + ClientPtr client = cl->client;
89 xGLXRenderModeReply reply;
91 GLint nitems = 0, retBytes = 0, retval, newModeCheck;
96 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
98 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
102 ** selection array, as per the API for glRenderMode itself.
105 - client = cl->client;
106 reply = (xGLXRenderModeReply) {
108 .sequenceNumber = client->sequence,
111 __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
113 + ClientPtr client = cl->client;
117 + REQUEST_SIZE_MATCH(xGLXSingleReq);
119 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
122 @@ -223,10 +233,12 @@
124 __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
126 + ClientPtr client = cl->client;
131 + REQUEST_SIZE_MATCH(xGLXSingleReq);
133 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
138 DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
141 + ClientPtr client = cl->client;
146 char *buf = NULL, *buf1 = NULL;
149 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
151 /* If the client has the opposite byte order, swap the contextTag and
155 pc += __GLX_SINGLE_HDR_SIZE;
156 name = *(GLenum *) (pc + 0);
157 string = (const char *) glGetString(name);
158 - client = cl->client;
162 Index: xorg-server-1.15.1/glx/single2swap.c
163 ===================================================================
164 --- xorg-server-1.15.1.orig/glx/single2swap.c 2014-12-04 11:56:48.021535287 -0500
165 +++ xorg-server-1.15.1/glx/single2swap.c 2014-12-04 11:56:48.017535262 -0500
168 __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
170 + ClientPtr client = cl->client;
178 + REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
180 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
181 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
185 __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
187 + ClientPtr client = cl->client;
191 __GLX_DECLARE_SWAP_VARIABLES;
194 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
196 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
197 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
201 __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
204 + ClientPtr client = cl->client;
206 xGLXRenderModeReply reply;
207 GLint nitems = 0, retBytes = 0, retval, newModeCheck;
209 __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
212 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
214 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
215 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
218 ** selection array, as per the API for glRenderMode itself.
221 - client = cl->client;
222 reply = (xGLXRenderModeReply) {
224 .sequenceNumber = client->sequence,
225 @@ -224,11 +231,14 @@
227 __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
229 + ClientPtr client = cl->client;
233 __GLX_DECLARE_SWAP_VARIABLES;
235 + REQUEST_SIZE_MATCH(xGLXSingleReq);
237 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
238 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
240 @@ -243,12 +253,14 @@
242 __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
244 + ClientPtr client = cl->client;
249 __GLX_DECLARE_SWAP_VARIABLES;
251 + REQUEST_SIZE_MATCH(xGLXSingleReq);
253 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
254 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
257 cx->hasUnflushedCommands = GL_FALSE;
259 /* Send empty reply packet to indicate finish is finished */
260 - client = cl->client;
261 __GLX_BEGIN_REPLY(0);
263 __GLX_SWAP_REPLY_HEADER();
264 Index: xorg-server-1.15.1/glx/singlepix.c
265 ===================================================================
266 --- xorg-server-1.15.1.orig/glx/singlepix.c 2014-12-04 11:56:48.021535287 -0500
267 +++ xorg-server-1.15.1/glx/singlepix.c 2014-12-04 11:56:48.017535262 -0500
270 char *answer, answerBuffer[200];
272 + REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
274 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
278 char *answer, answerBuffer[200];
279 GLint width = 0, height = 0, depth = 1;
281 + REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
283 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
287 GLubyte answerBuffer[200];
290 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
292 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
295 @@ -217,15 +223,13 @@
296 compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
297 compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
300 + if ((compsize = safe_pad(compsize)) < 0)
303 + if ((compsize2 = safe_pad(compsize2)) < 0)
305 - compsize = __GLX_PAD(compsize);
306 - compsize2 = __GLX_PAD(compsize2);
308 glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
309 - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
310 + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
311 __glXClearErrorOccured();
312 glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
313 *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
315 __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
317 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
319 + ClientPtr client = cl->client;
320 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
321 return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
325 __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
327 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
329 + ClientPtr client = cl->client;
330 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
331 return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
335 __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
337 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
339 + ClientPtr client = cl->client;
340 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
341 return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
345 __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
347 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
349 + ClientPtr client = cl->client;
350 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
351 return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
355 __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
357 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
359 + ClientPtr client = cl->client;
360 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
361 return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
365 __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
367 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
369 + ClientPtr client = cl->client;
370 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
371 return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
375 __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
377 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
379 + ClientPtr client = cl->client;
380 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
381 return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
385 __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
387 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
389 + ClientPtr client = cl->client;
390 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
391 return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
395 __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
397 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
399 + ClientPtr client = cl->client;
400 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
401 return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
405 __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
407 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
409 + ClientPtr client = cl->client;
410 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
411 return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
413 Index: xorg-server-1.15.1/glx/singlepixswap.c
414 ===================================================================
415 --- xorg-server-1.15.1.orig/glx/singlepixswap.c 2014-12-04 11:56:48.021535287 -0500
416 +++ xorg-server-1.15.1/glx/singlepixswap.c 2014-12-04 11:56:48.017535262 -0500
419 char *answer, answerBuffer[200];
421 + REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
423 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
424 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
427 char *answer, answerBuffer[200];
428 GLint width = 0, height = 0, depth = 1;
430 + REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
432 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
433 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
437 __GLX_DECLARE_SWAP_VARIABLES;
439 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
441 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
442 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
444 @@ -251,15 +257,13 @@
445 compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
446 compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
449 + if ((compsize = safe_pad(compsize)) < 0)
452 + if ((compsize2 = safe_pad(compsize2)) < 0)
454 - compsize = __GLX_PAD(compsize);
455 - compsize2 = __GLX_PAD(compsize2);
457 glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
458 - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
459 + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
460 __glXClearErrorOccured();
461 glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
462 *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
464 __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
466 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
467 + ClientPtr client = cl->client;
469 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
470 return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
474 __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
476 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
477 + ClientPtr client = cl->client;
479 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
480 return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
484 __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
486 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
487 + ClientPtr client = cl->client;
489 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
490 return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
494 __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
496 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
497 + ClientPtr client = cl->client;
499 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
500 return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
504 __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
506 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
507 + ClientPtr client = cl->client;
509 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
510 return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
514 __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
516 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
517 + ClientPtr client = cl->client;
519 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
520 return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
524 __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
526 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
527 + ClientPtr client = cl->client;
529 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
530 return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
534 __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
536 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
537 + ClientPtr client = cl->client;
539 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
540 return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
544 __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
546 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
547 + ClientPtr client = cl->client;
549 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
550 return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
554 __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
556 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
557 + ClientPtr client = cl->client;
559 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
560 return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);