[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch

From 13f54e513024fc8224065515d9c664135aba1848 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:40 -0500
Subject: [PATCH 24/33] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]

These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.

Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.

v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)

Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 glx/glxserver.h |   41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

--- a/glx/glxserver.h
+++ b/glx/glxserver.h
@@ -230,6 +230,47 @@ extern void glxSwapQueryServerStringRepl
  * Routines for computing the size of variably-sized rendering commands.
  */
 
+static _X_INLINE int
+safe_add(int a, int b)
+{
+    if (a < 0 || b < 0)
+        return -1;
+
+    if (INT_MAX - a < b)
+        return -1;
+
+    return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+    if (a < 0 || b < 0)
+        return -1;
+
+    if (a == 0 || b == 0)
+        return 0;
+
+    if (a > INT_MAX / b)
+        return -1;
+
+    return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+    int ret;
+
+    if (a < 0)
+        return -1;
+
+    if ((ret = safe_add(a, 3)) < 0)
+        return -1;
+
+    return ret & (GLuint)~3;
+}
+
 extern int __glXTypeSize(GLenum enm);
 extern int __glXImageSize(GLenum format, GLenum type,
                           GLenum target, GLsizei w, GLsizei h, GLsizei d,
Commit	Line	Data
7217e0ca ML	1	From 13f54e513024fc8224065515d9c664135aba1848 Mon Sep 17 00:00:00 2001
	2	From: Adam Jackson <ajax@redhat.com>
	3	Date: Mon, 10 Nov 2014 12:13:40 -0500
	4	Subject: [PATCH 24/33] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
	5
	6	These are paranoid about integer overflow, and will return -1 if their
	7	operation would overflow a (signed) integer or if either argument is
	8	negative.
	9
	10	Note that RenderLarge requests are sized with a uint32_t so in principle
	11	this could be sketchy there, but dix limits bigreqs to 128M so you
	12	shouldn't ever notice, and honestly if you're sending more than 2G of
	13	rendering commands you're already doing something very wrong.
	14
	15	v2: Use INT_MAX for consistency with the rest of the server (jcristau)
	16	v3: Reject negative arguments (anholt)
	17
	18	Reviewed-by: Keith Packard <keithp@keithp.com>
	19	Reviewed-by: Julien Cristau <jcristau@debian.org>
	20	Reviewed-by: Michal Srb <msrb@suse.com>
	21	Reviewed-by: Andy Ritger <aritger@nvidia.com>
	22	Signed-off-by: Adam Jackson <ajax@redhat.com>
	23	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	24	---
	25	glx/glxserver.h \| 41 +++++++++++++++++++++++++++++++++++++++++
	26	1 file changed, 41 insertions(+)
	27
4db25562 JB	28	--- a/glx/glxserver.h
	29	+++ b/glx/glxserver.h
	30	@@ -230,6 +230,47 @@ extern void glxSwapQueryServerStringRepl
7217e0ca ML	31	* Routines for computing the size of variably-sized rendering commands.
	32	*/
	33
	34	+static _X_INLINE int
	35	+safe_add(int a, int b)
	36	+{
	37	+ if (a < 0 \|\| b < 0)
	38	+ return -1;
	39	+
	40	+ if (INT_MAX - a < b)
	41	+ return -1;
	42	+
	43	+ return a + b;
	44	+}
	45	+
	46	+static _X_INLINE int
	47	+safe_mul(int a, int b)
	48	+{
	49	+ if (a < 0 \|\| b < 0)
	50	+ return -1;
	51	+
	52	+ if (a == 0 \|\| b == 0)
	53	+ return 0;
	54	+
	55	+ if (a > INT_MAX / b)
	56	+ return -1;
	57	+
	58	+ return a * b;
	59	+}
	60	+
	61	+static _X_INLINE int
	62	+safe_pad(int a)
	63	+{
	64	+ int ret;
	65	+
	66	+ if (a < 0)
	67	+ return -1;
	68	+
	69	+ if ((ret = safe_add(a, 3)) < 0)
	70	+ return -1;
	71	+
	72	+ return ret & (GLuint)~3;
	73	+}
	74	+
	75	extern int __glXTypeSize(GLenum enm);
	76	extern int __glXImageSize(GLenum format, GLenum type,
	77	GLenum target, GLsizei w, GLsizei h, GLsizei d,