[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0025-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch

From 02f91446a5446d7287a0fc30aa8b15a1cd29c2cf Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 10 Nov 2014 12:13:41 -0500
Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2)
 [CVE-2014-8098 2/8]

v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)

Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 glx/glxcmds.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2015,7 +2015,7 @@ __glXDisp_Render(__GLXclientState * cl,
     left = (req->length << 2) - sz_xGLXRenderReq;
     while (left > 0) {
         __GLXrenderSizeData entry;
-        int extra;
+        int extra = 0;
         __GLXdispatchRenderProcPtr proc;
         int err;
 
@@ -2034,6 +2034,9 @@ __glXDisp_Render(__GLXclientState * cl,
         cmdlen = hdr->length;
         opcode = hdr->opcode;
 
+        if (left < cmdlen)
+            return BadLength;
+
         /*
          ** Check for core opcodes and grab entry data.
          */
@@ -2047,6 +2050,10 @@ __glXDisp_Render(__GLXclientState * cl,
             return __glXError(GLXBadRenderRequest);
         }
 
+        if (cmdlen < entry.bytes) {
+            return BadLength;
+        }
+
         if (entry.varsize) {
             /* variable size command */
             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
@@ -2054,17 +2061,9 @@ __glXDisp_Render(__GLXclientState * cl,
             if (extra < 0) {
                 return BadLength;
             }
-            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
-                return BadLength;
-            }
         }
-        else {
-            /* constant size command */
-            if (cmdlen != __GLX_PAD(entry.bytes)) {
-                return BadLength;
-            }
-        }
-        if (left < cmdlen) {
+
+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
             return BadLength;
         }
Commit	Line	Data
7217e0ca ML	1	From 02f91446a5446d7287a0fc30aa8b15a1cd29c2cf Mon Sep 17 00:00:00 2001
	2	From: Julien Cristau <jcristau@debian.org>
	3	Date: Mon, 10 Nov 2014 12:13:41 -0500
	4	Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2)
	5	[CVE-2014-8098 2/8]
	6
	7	v2:
	8	Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
	9
	10	Reviewed-by: Adam Jackson <ajax@redhat.com>
	11	Reviewed-by: Michal Srb <msrb@suse.com>
	12	Reviewed-by: Andy Ritger <aritger@nvidia.com>
	13	Signed-off-by: Julien Cristau <jcristau@debian.org>
	14	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	15	---
	16	glx/glxcmds.c \| 21 ++++++++++-----------
	17	1 file changed, 10 insertions(+), 11 deletions(-)
	18
4db25562 JB	19	--- a/glx/glxcmds.c
	20	+++ b/glx/glxcmds.c
	21	@@ -2015,7 +2015,7 @@ __glXDisp_Render(__GLXclientState * cl,
7217e0ca ML	22	left = (req->length << 2) - sz_xGLXRenderReq;
	23	while (left > 0) {
	24	__GLXrenderSizeData entry;
	25	- int extra;
	26	+ int extra = 0;
	27	__GLXdispatchRenderProcPtr proc;
	28	int err;
	29
4db25562	30	@@ -2034,6 +2034,9 @@ __glXDisp_Render(__GLXclientState * cl,
7217e0ca ML	31	cmdlen = hdr->length;
	32	opcode = hdr->opcode;
	33
	34	+ if (left < cmdlen)
	35	+ return BadLength;
	36	+
	37	/*
	38	** Check for core opcodes and grab entry data.
	39	*/
4db25562	40	@@ -2047,6 +2050,10 @@ __glXDisp_Render(__GLXclientState * cl,
7217e0ca ML	41	return __glXError(GLXBadRenderRequest);
	42	}
	43
	44	+ if (cmdlen < entry.bytes) {
	45	+ return BadLength;
	46	+ }
	47	+
	48	if (entry.varsize) {
	49	/* variable size command */
	50	extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
4db25562	51	@@ -2054,17 +2061,9 @@ __glXDisp_Render(__GLXclientState * cl,
7217e0ca ML	52	if (extra < 0) {
	53	return BadLength;
	54	}
	55	- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
	56	- return BadLength;
	57	- }
	58	}
	59	- else {
	60	- /* constant size command */
	61	- if (cmdlen != __GLX_PAD(entry.bytes)) {
	62	- return BadLength;
	63	- }
	64	- }
	65	- if (left < cmdlen) {
	66	+
	67	+ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
	68	return BadLength;
	69	}
	70