Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 13f54e513024fc8224065515d9c664135aba1848 Mon Sep 17 00:00:00 2001 |
2 | From: Adam Jackson <ajax@redhat.com> | |
3 | Date: Mon, 10 Nov 2014 12:13:40 -0500 | |
4 | Subject: [PATCH 24/33] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] | |
5 | ||
6 | These are paranoid about integer overflow, and will return -1 if their | |
7 | operation would overflow a (signed) integer or if either argument is | |
8 | negative. | |
9 | ||
10 | Note that RenderLarge requests are sized with a uint32_t so in principle | |
11 | this could be sketchy there, but dix limits bigreqs to 128M so you | |
12 | shouldn't ever notice, and honestly if you're sending more than 2G of | |
13 | rendering commands you're already doing something very wrong. | |
14 | ||
15 | v2: Use INT_MAX for consistency with the rest of the server (jcristau) | |
16 | v3: Reject negative arguments (anholt) | |
17 | ||
18 | Reviewed-by: Keith Packard <keithp@keithp.com> | |
19 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
20 | Reviewed-by: Michal Srb <msrb@suse.com> | |
21 | Reviewed-by: Andy Ritger <aritger@nvidia.com> | |
22 | Signed-off-by: Adam Jackson <ajax@redhat.com> | |
23 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
24 | --- | |
25 | glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++ | |
26 | 1 file changed, 41 insertions(+) | |
27 | ||
4db25562 JB |
28 | --- a/glx/glxserver.h |
29 | +++ b/glx/glxserver.h | |
30 | @@ -230,6 +230,47 @@ extern void glxSwapQueryServerStringRepl | |
7217e0ca ML |
31 | * Routines for computing the size of variably-sized rendering commands. |
32 | */ | |
33 | ||
34 | +static _X_INLINE int | |
35 | +safe_add(int a, int b) | |
36 | +{ | |
37 | + if (a < 0 || b < 0) | |
38 | + return -1; | |
39 | + | |
40 | + if (INT_MAX - a < b) | |
41 | + return -1; | |
42 | + | |
43 | + return a + b; | |
44 | +} | |
45 | + | |
46 | +static _X_INLINE int | |
47 | +safe_mul(int a, int b) | |
48 | +{ | |
49 | + if (a < 0 || b < 0) | |
50 | + return -1; | |
51 | + | |
52 | + if (a == 0 || b == 0) | |
53 | + return 0; | |
54 | + | |
55 | + if (a > INT_MAX / b) | |
56 | + return -1; | |
57 | + | |
58 | + return a * b; | |
59 | +} | |
60 | + | |
61 | +static _X_INLINE int | |
62 | +safe_pad(int a) | |
63 | +{ | |
64 | + int ret; | |
65 | + | |
66 | + if (a < 0) | |
67 | + return -1; | |
68 | + | |
69 | + if ((ret = safe_add(a, 3)) < 0) | |
70 | + return -1; | |
71 | + | |
72 | + return ret & (GLuint)~3; | |
73 | +} | |
74 | + | |
75 | extern int __glXTypeSize(GLenum enm); | |
76 | extern int __glXImageSize(GLenum format, GLenum type, | |
77 | GLenum target, GLsizei w, GLsizei h, GLsizei d, |