Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 902b6a30c660f4b38afd936726071b631ada3fcf Mon Sep 17 00:00:00 2001 |
2 | From: Adam Jackson <ajax@redhat.com> | |
3 | Date: Mon, 10 Nov 2014 12:13:38 -0500 | |
4 | Subject: [PATCH 22/33] glx: Additional paranoia in __glXGetAnswerBuffer / | |
5 | __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] | |
6 | ||
7 | If the computed reply size is negative, something went wrong, treat it | |
8 | as an error. | |
9 | ||
10 | v2: Be more careful about size_t being unsigned (Matthieu Herrb) | |
11 | v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) | |
12 | ||
13 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
14 | Reviewed-by: Michal Srb <msrb@suse.com> | |
15 | Reviewed-by: Andy Ritger <aritger@nvidia.com> | |
16 | Signed-off-by: Adam Jackson <ajax@redhat.com> | |
17 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
18 | --- | |
19 | glx/indirect_util.c | 7 ++++++- | |
20 | glx/unpack.h | 3 ++- | |
21 | 2 files changed, 8 insertions(+), 2 deletions(-) | |
22 | ||
7217e0ca ML |
23 | --- a/glx/indirect_util.c |
24 | +++ b/glx/indirect_util.c | |
4db25562 | 25 | @@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * |
7217e0ca ML |
26 | const unsigned mask = alignment - 1; |
27 | ||
28 | if (local_size < required_size) { | |
29 | - const size_t worst_case_size = required_size + alignment; | |
30 | + size_t worst_case_size; | |
31 | intptr_t temp_buf; | |
32 | ||
33 | + if (required_size < SIZE_MAX - alignment) | |
34 | + worst_case_size = required_size + alignment; | |
35 | + else | |
36 | + return NULL; | |
37 | + | |
38 | if (cl->returnBufSize < worst_case_size) { | |
39 | void *temp = realloc(cl->returnBuf, worst_case_size); | |
40 | ||
7217e0ca ML |
41 | --- a/glx/unpack.h |
42 | +++ b/glx/unpack.h | |
43 | @@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; | |
44 | ** pointer. | |
45 | */ | |
46 | #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ | |
47 | - if ((size) > sizeof(answerBuffer)) { \ | |
48 | + if (size < 0) return BadLength; \ | |
49 | + else if ((size) > sizeof(answerBuffer)) { \ | |
50 | int bump; \ | |
51 | if ((cl)->returnBufSize < (size)+(align)) { \ | |
52 | (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ |