Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 02f91446a5446d7287a0fc30aa8b15a1cd29c2cf Mon Sep 17 00:00:00 2001 |
2 | From: Julien Cristau <jcristau@debian.org> | |
3 | Date: Mon, 10 Nov 2014 12:13:41 -0500 | |
4 | Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2) | |
5 | [CVE-2014-8098 2/8] | |
6 | ||
7 | v2: | |
8 | Remove can't-happen comparison for cmdlen < 0 (Michal Srb) | |
9 | ||
10 | Reviewed-by: Adam Jackson <ajax@redhat.com> | |
11 | Reviewed-by: Michal Srb <msrb@suse.com> | |
12 | Reviewed-by: Andy Ritger <aritger@nvidia.com> | |
13 | Signed-off-by: Julien Cristau <jcristau@debian.org> | |
14 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
15 | --- | |
16 | glx/glxcmds.c | 21 ++++++++++----------- | |
17 | 1 file changed, 10 insertions(+), 11 deletions(-) | |
18 | ||
4db25562 JB |
19 | --- a/glx/glxcmds.c |
20 | +++ b/glx/glxcmds.c | |
21 | @@ -2015,7 +2015,7 @@ __glXDisp_Render(__GLXclientState * cl, | |
7217e0ca ML |
22 | left = (req->length << 2) - sz_xGLXRenderReq; |
23 | while (left > 0) { | |
24 | __GLXrenderSizeData entry; | |
25 | - int extra; | |
26 | + int extra = 0; | |
27 | __GLXdispatchRenderProcPtr proc; | |
28 | int err; | |
29 | ||
4db25562 | 30 | @@ -2034,6 +2034,9 @@ __glXDisp_Render(__GLXclientState * cl, |
7217e0ca ML |
31 | cmdlen = hdr->length; |
32 | opcode = hdr->opcode; | |
33 | ||
34 | + if (left < cmdlen) | |
35 | + return BadLength; | |
36 | + | |
37 | /* | |
38 | ** Check for core opcodes and grab entry data. | |
39 | */ | |
4db25562 | 40 | @@ -2047,6 +2050,10 @@ __glXDisp_Render(__GLXclientState * cl, |
7217e0ca ML |
41 | return __glXError(GLXBadRenderRequest); |
42 | } | |
43 | ||
44 | + if (cmdlen < entry.bytes) { | |
45 | + return BadLength; | |
46 | + } | |
47 | + | |
48 | if (entry.varsize) { | |
49 | /* variable size command */ | |
50 | extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, | |
4db25562 | 51 | @@ -2054,17 +2061,9 @@ __glXDisp_Render(__GLXclientState * cl, |
7217e0ca ML |
52 | if (extra < 0) { |
53 | return BadLength; | |
54 | } | |
55 | - if (cmdlen != __GLX_PAD(entry.bytes + extra)) { | |
56 | - return BadLength; | |
57 | - } | |
58 | } | |
59 | - else { | |
60 | - /* constant size command */ | |
61 | - if (cmdlen != __GLX_PAD(entry.bytes)) { | |
62 | - return BadLength; | |
63 | - } | |
64 | - } | |
65 | - if (left < cmdlen) { | |
66 | + | |
67 | + if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) { | |
68 | return BadLength; | |
69 | } | |
70 |