X-Git-Url: https://git.piment-noir.org/?a=blobdiff_plain;ds=sidebyside;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch;h=af08e6a4127998507a4963d116d0dc3dc13330cc;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hp=0000000000000000000000000000000000000000;hpb=a09e091a5c996d46a398abb27b06fe504591673f;p=deb_xorg-server.git

diff --git a/debian/patches/CVE-2014-8xxx/0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch b/debian/patches/CVE-2014-8xxx/0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch
new file mode 100644
index 0000000..af08e6a
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch
@@ -0,0 +1,79 @@
+From 13f54e513024fc8224065515d9c664135aba1848 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:40 -0500
+Subject: [PATCH 24/33] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
+
+These are paranoid about integer overflow, and will return -1 if their
+operation would overflow a (signed) integer or if either argument is
+negative.
+
+Note that RenderLarge requests are sized with a uint32_t so in principle
+this could be sketchy there, but dix limits bigreqs to 128M so you
+shouldn't ever notice, and honestly if you're sending more than 2G of
+rendering commands you're already doing something very wrong.
+
+v2: Use INT_MAX for consistency with the rest of the server (jcristau)
+v3: Reject negative arguments (anholt)
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxserver.h |   41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+Index: xorg-server-1.15.1/glx/glxserver.h
+===================================================================
+--- xorg-server-1.15.1.orig/glx/glxserver.h	2014-12-04 11:55:58.221223978 -0500
++++ xorg-server-1.15.1/glx/glxserver.h	2014-12-04 11:55:58.217223954 -0500
+@@ -230,6 +230,47 @@
+  * Routines for computing the size of variably-sized rendering commands.
+  */
+ 
++static _X_INLINE int
++safe_add(int a, int b)
++{
++    if (a < 0 || b < 0)
++        return -1;
++
++    if (INT_MAX - a < b)
++        return -1;
++
++    return a + b;
++}
++
++static _X_INLINE int
++safe_mul(int a, int b)
++{
++    if (a < 0 || b < 0)
++        return -1;
++
++    if (a == 0 || b == 0)
++        return 0;
++
++    if (a > INT_MAX / b)
++        return -1;
++
++    return a * b;
++}
++
++static _X_INLINE int
++safe_pad(int a)
++{
++    int ret;
++
++    if (a < 0)
++        return -1;
++
++    if ((ret = safe_add(a, 3)) < 0)
++        return -1;
++
++    return ret & (GLuint)~3;
++}
++
+ extern int __glXTypeSize(GLenum enm);
+ extern int __glXImageSize(GLenum format, GLenum type,
+                           GLenum target, GLsizei w, GLsizei h, GLsizei d,