Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 13f54e513024fc8224065515d9c664135aba1848 Mon Sep 17 00:00:00 2001 |
2 | From: Adam Jackson <ajax@redhat.com> | |
3 | Date: Mon, 10 Nov 2014 12:13:40 -0500 | |
4 | Subject: [PATCH 24/33] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] | |
5 | ||
6 | These are paranoid about integer overflow, and will return -1 if their | |
7 | operation would overflow a (signed) integer or if either argument is | |
8 | negative. | |
9 | ||
10 | Note that RenderLarge requests are sized with a uint32_t so in principle | |
11 | this could be sketchy there, but dix limits bigreqs to 128M so you | |
12 | shouldn't ever notice, and honestly if you're sending more than 2G of | |
13 | rendering commands you're already doing something very wrong. | |
14 | ||
15 | v2: Use INT_MAX for consistency with the rest of the server (jcristau) | |
16 | v3: Reject negative arguments (anholt) | |
17 | ||
18 | Reviewed-by: Keith Packard <keithp@keithp.com> | |
19 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
20 | Reviewed-by: Michal Srb <msrb@suse.com> | |
21 | Reviewed-by: Andy Ritger <aritger@nvidia.com> | |
22 | Signed-off-by: Adam Jackson <ajax@redhat.com> | |
23 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
24 | --- | |
25 | glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++ | |
26 | 1 file changed, 41 insertions(+) | |
27 | ||
28 | Index: xorg-server-1.15.1/glx/glxserver.h | |
29 | =================================================================== | |
30 | --- xorg-server-1.15.1.orig/glx/glxserver.h 2014-12-04 11:55:58.221223978 -0500 | |
31 | +++ xorg-server-1.15.1/glx/glxserver.h 2014-12-04 11:55:58.217223954 -0500 | |
32 | @@ -230,6 +230,47 @@ | |
33 | * Routines for computing the size of variably-sized rendering commands. | |
34 | */ | |
35 | ||
36 | +static _X_INLINE int | |
37 | +safe_add(int a, int b) | |
38 | +{ | |
39 | + if (a < 0 || b < 0) | |
40 | + return -1; | |
41 | + | |
42 | + if (INT_MAX - a < b) | |
43 | + return -1; | |
44 | + | |
45 | + return a + b; | |
46 | +} | |
47 | + | |
48 | +static _X_INLINE int | |
49 | +safe_mul(int a, int b) | |
50 | +{ | |
51 | + if (a < 0 || b < 0) | |
52 | + return -1; | |
53 | + | |
54 | + if (a == 0 || b == 0) | |
55 | + return 0; | |
56 | + | |
57 | + if (a > INT_MAX / b) | |
58 | + return -1; | |
59 | + | |
60 | + return a * b; | |
61 | +} | |
62 | + | |
63 | +static _X_INLINE int | |
64 | +safe_pad(int a) | |
65 | +{ | |
66 | + int ret; | |
67 | + | |
68 | + if (a < 0) | |
69 | + return -1; | |
70 | + | |
71 | + if ((ret = safe_add(a, 3)) < 0) | |
72 | + return -1; | |
73 | + | |
74 | + return ret & (GLuint)~3; | |
75 | +} | |
76 | + | |
77 | extern int __glXTypeSize(GLenum enm); | |
78 | extern int __glXImageSize(GLenum format, GLenum type, | |
79 | GLenum target, GLsizei w, GLsizei h, GLsizei d, |