1 From 4ab40b2b60f4f841f75250e1e60c1624d8212cd4 Mon Sep 17 00:00:00 2001
2 From: Adam Jackson <ajax@redhat.com>
3 Date: Mon, 10 Nov 2014 12:13:47 -0500
4 Subject: [PATCH 31/33] glx: Length checking for non-generated single requests
5 (v2) [CVE-2014-8098 7/8]
8 Fix single versus vendor-private length checking for ARB_imaging subset
9 extensions. (Julien Cristau)
12 Fix single versus vendor-private length checking for ARB_imaging subset
13 extensions. (Julien Cristau)
15 Reviewed-by: Michal Srb <msrb@suse.com>
16 Reviewed-by: Andy Ritger <aritger@nvidia.com>
17 Signed-off-by: Adam Jackson <ajax@redhat.com>
18 Signed-off-by: Julien Cristau <jcristau@debian.org>
19 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
21 glx/indirect_texture_compression.c | 4 ++++
22 glx/single2.c | 23 +++++++++++++++----
23 glx/single2swap.c | 19 ++++++++++++----
24 glx/singlepix.c | 44 ++++++++++++++++++++++++------------
25 glx/singlepixswap.c | 34 ++++++++++++++++++++++++----
26 5 files changed, 95 insertions(+), 29 deletions(-)
28 --- a/glx/indirect_texture_compression.c
29 +++ b/glx/indirect_texture_compression.c
30 @@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct _
31 __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
32 ClientPtr client = cl->client;
34 + REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
36 pc += __GLX_SINGLE_HDR_SIZE;
38 const GLenum target = *(GLenum *) (pc + 0);
39 @@ -85,6 +87,8 @@ __glXDispSwap_GetCompressedTexImage(stru
40 __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
41 ClientPtr client = cl->client;
43 + REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
45 pc += __GLX_SINGLE_HDR_SIZE;
47 const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
52 __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
54 + ClientPtr client = cl->client;
60 + REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
62 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
65 @@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientStat
67 __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
69 + ClientPtr client = cl->client;
74 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
76 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
79 @@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState
81 __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
84 + ClientPtr client = cl->client;
85 xGLXRenderModeReply reply;
87 GLint nitems = 0, retBytes = 0, retval, newModeCheck;
88 @@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState *
92 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
94 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
97 @@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState *
98 ** selection array, as per the API for glRenderMode itself.
101 - client = cl->client;
102 reply = (xGLXRenderModeReply) {
104 .sequenceNumber = client->sequence,
105 @@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState *
107 __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
109 + ClientPtr client = cl->client;
113 + REQUEST_SIZE_MATCH(xGLXSingleReq);
115 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
118 @@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, G
120 __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
122 + ClientPtr client = cl->client;
127 + REQUEST_SIZE_MATCH(xGLXSingleReq);
129 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
132 @@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_st
134 DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
137 + ClientPtr client = cl->client;
141 @@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyt
142 char *buf = NULL, *buf1 = NULL;
145 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
147 /* If the client has the opposite byte order, swap the contextTag and
150 @@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyt
151 pc += __GLX_SINGLE_HDR_SIZE;
152 name = *(GLenum *) (pc + 0);
153 string = (const char *) glGetString(name);
154 - client = cl->client;
158 --- a/glx/single2swap.c
159 +++ b/glx/single2swap.c
162 __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
164 + ClientPtr client = cl->client;
168 @@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclient
172 + REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
174 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
175 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
177 @@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclient
179 __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
181 + ClientPtr client = cl->client;
185 __GLX_DECLARE_SWAP_VARIABLES;
188 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
190 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
191 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
193 @@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientSt
195 __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
198 + ClientPtr client = cl->client;
200 xGLXRenderModeReply reply;
201 GLint nitems = 0, retBytes = 0, retval, newModeCheck;
202 @@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientStat
203 __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
206 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
208 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
209 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
211 @@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientStat
212 ** selection array, as per the API for glRenderMode itself.
215 - client = cl->client;
216 reply = (xGLXRenderModeReply) {
218 .sequenceNumber = client->sequence,
219 @@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientStat
221 __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
223 + ClientPtr client = cl->client;
227 __GLX_DECLARE_SWAP_VARIABLES;
229 + REQUEST_SIZE_MATCH(xGLXSingleReq);
231 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
232 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
234 @@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * c
236 __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
238 + ClientPtr client = cl->client;
243 __GLX_DECLARE_SWAP_VARIABLES;
245 + REQUEST_SIZE_MATCH(xGLXSingleReq);
247 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
248 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
250 @@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState *
251 cx->hasUnflushedCommands = GL_FALSE;
253 /* Send empty reply packet to indicate finish is finished */
254 - client = cl->client;
255 __GLX_BEGIN_REPLY(0);
257 __GLX_SWAP_REPLY_HEADER();
258 --- a/glx/singlepix.c
259 +++ b/glx/singlepix.c
260 @@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState *
262 char *answer, answerBuffer[200];
264 + REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
266 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
269 @@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState *
270 char *answer, answerBuffer[200];
271 GLint width = 0, height = 0, depth = 1;
273 + REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
275 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
278 @@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientS
279 GLubyte answerBuffer[200];
282 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
284 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
287 @@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl
288 compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
289 compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
292 + if ((compsize = safe_pad(compsize)) < 0)
295 + if ((compsize2 = safe_pad(compsize2)) < 0)
297 - compsize = __GLX_PAD(compsize);
298 - compsize2 = __GLX_PAD(compsize2);
300 glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
301 - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
302 + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
303 __glXClearErrorOccured();
304 glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
305 *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
306 @@ -249,7 +253,8 @@ int
307 __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
309 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
311 + ClientPtr client = cl->client;
312 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
313 return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
316 @@ -257,7 +262,8 @@ int
317 __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
319 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
321 + ClientPtr client = cl->client;
322 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
323 return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
326 @@ -323,7 +329,8 @@ int
327 __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
329 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
331 + ClientPtr client = cl->client;
332 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
333 return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
336 @@ -331,7 +338,8 @@ int
337 __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
339 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
341 + ClientPtr client = cl->client;
342 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
343 return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
346 @@ -390,7 +398,8 @@ int
347 __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
349 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
351 + ClientPtr client = cl->client;
352 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
353 return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
356 @@ -398,7 +407,8 @@ int
357 __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
359 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
361 + ClientPtr client = cl->client;
362 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
363 return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
366 @@ -450,7 +460,8 @@ int
367 __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
369 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
371 + ClientPtr client = cl->client;
372 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
373 return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
376 @@ -458,7 +469,8 @@ int
377 __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
379 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
381 + ClientPtr client = cl->client;
382 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
383 return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
386 @@ -517,7 +529,8 @@ int
387 __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
389 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
391 + ClientPtr client = cl->client;
392 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
393 return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
396 @@ -525,6 +538,7 @@ int
397 __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
399 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
401 + ClientPtr client = cl->client;
402 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
403 return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
405 --- a/glx/singlepixswap.c
406 +++ b/glx/singlepixswap.c
407 @@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientStat
409 char *answer, answerBuffer[200];
411 + REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
413 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
414 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
416 @@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientSta
417 char *answer, answerBuffer[200];
418 GLint width = 0, height = 0, depth = 1;
420 + REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
422 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
423 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
425 @@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXcli
427 __GLX_DECLARE_SWAP_VARIABLES;
429 + REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
431 __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
432 cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
434 @@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl
435 compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
436 compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
439 + if ((compsize = safe_pad(compsize)) < 0)
442 + if ((compsize2 = safe_pad(compsize2)) < 0)
444 - compsize = __GLX_PAD(compsize);
445 - compsize2 = __GLX_PAD(compsize2);
447 glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
448 - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
449 + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
450 __glXClearErrorOccured();
451 glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
452 *(GLenum *) (pc + 8), answer, answer + compsize, NULL);
453 @@ -285,7 +289,9 @@ int
454 __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
456 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
457 + ClientPtr client = cl->client;
459 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
460 return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
463 @@ -293,7 +299,9 @@ int
464 __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
466 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
467 + ClientPtr client = cl->client;
469 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
470 return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
473 @@ -367,7 +375,9 @@ int
474 __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
476 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
477 + ClientPtr client = cl->client;
479 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
480 return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
483 @@ -375,7 +385,9 @@ int
484 __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
486 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
487 + ClientPtr client = cl->client;
489 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
490 return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
493 @@ -441,7 +453,9 @@ int
494 __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
496 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
497 + ClientPtr client = cl->client;
499 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
500 return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
503 @@ -449,7 +463,9 @@ int
504 __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
506 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
507 + ClientPtr client = cl->client;
509 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
510 return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
513 @@ -507,7 +523,9 @@ int
514 __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
516 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
517 + ClientPtr client = cl->client;
519 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
520 return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
523 @@ -515,7 +533,9 @@ int
524 __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
526 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
527 + ClientPtr client = cl->client;
529 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
530 return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
533 @@ -581,7 +601,9 @@ int
534 __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
536 const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
537 + ClientPtr client = cl->client;
539 + REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
540 return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
543 @@ -589,6 +611,8 @@ int
544 __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
546 const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
547 + ClientPtr client = cl->client;
549 + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
550 return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);