[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0026-glx-Integer-overflow-protection-for-non-generated-re.patch

From 84caa119e859d66e1a8368f265c16769e44e3291 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:42 -0500
Subject: [PATCH 26/33] glx: Integer overflow protection for non-generated
 render requests (v3) [CVE-2014-8093 5/6]

v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)

v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)

Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 glx/rensize.c |   77 ++++++++++++++++++++++++++++++---------------------------
 1 file changed, 41 insertions(+), 36 deletions(-)

--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -43,19 +43,11 @@
   (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
    ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
 
-static int
-Map1Size(GLint k, GLint order)
-{
-    if (order <= 0 || k < 0)
-        return -1;
-    return k * order;
-}
-
 int
 __glXMap1dReqSize(const GLbyte * pc, Bool swap)
 {
     GLenum target;
-    GLint order, k;
+    GLint order;
 
     target = *(GLenum *) (pc + 16);
     order = *(GLint *) (pc + 20);
@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Boo
         target = SWAPL(target);
         order = SWAPL(order);
     }
-    k = __glMap1d_size(target);
-    return 8 * Map1Size(k, order);
+    if (order < 1)
+        return -1;
+    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
 }
 
 int
 __glXMap1fReqSize(const GLbyte * pc, Bool swap)
 {
     GLenum target;
-    GLint order, k;
+    GLint order;
 
     target = *(GLenum *) (pc + 0);
     order = *(GLint *) (pc + 12);
@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Boo
         target = SWAPL(target);
         order = SWAPL(order);
     }
-    k = __glMap1f_size(target);
-    return 4 * Map1Size(k, order);
+    if (order < 1)
+        return -1;
+    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
 }
 
 static int
 Map2Size(int k, int majorOrder, int minorOrder)
 {
-    if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+    if (majorOrder < 1 || minorOrder < 1)
         return -1;
-    return k * majorOrder * minorOrder;
+    return safe_mul(k, safe_mul(majorOrder, minorOrder));
 }
 
 int
 __glXMap2dReqSize(const GLbyte * pc, Bool swap)
 {
     GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
 
     target = *(GLenum *) (pc + 32);
     uorder = *(GLint *) (pc + 36);
@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Boo
         uorder = SWAPL(uorder);
         vorder = SWAPL(vorder);
     }
-    k = __glMap2d_size(target);
-    return 8 * Map2Size(k, uorder, vorder);
+    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
 }
 
 int
 __glXMap2fReqSize(const GLbyte * pc, Bool swap)
 {
     GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
 
     target = *(GLenum *) (pc + 0);
     uorder = *(GLint *) (pc + 12);
@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Boo
         uorder = SWAPL(uorder);
         vorder = SWAPL(vorder);
     }
-    k = __glMap2f_size(target);
-    return 4 * Map2Size(k, uorder, vorder);
+    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
 }
 
 /**
@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum typ
     GLint bytesPerElement, elementsPerGroup, groupsPerRow;
     GLint groupSize, rowSize, padding, imageSize;
 
+    if (w == 0 || h == 0 || d == 0)
+        return 0;
+
     if (w < 0 || h < 0 || d < 0 ||
         (type == GL_BITMAP &&
          (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
         return -1;
     }
-    if (w == 0 || h == 0 || d == 0)
-        return 0;
 
+    /* proxy targets have no data */
     switch (target) {
     case GL_PROXY_TEXTURE_1D:
     case GL_PROXY_TEXTURE_2D:
@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum typ
         return 0;
     }
 
+    /* real data has to have real sizes */
+    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+        return -1;
+    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+        return -1;
+
     if (type == GL_BITMAP) {
         if (rowLength > 0) {
             groupsPerRow = rowLength;
@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum typ
             groupsPerRow = w;
         }
         rowSize = bits_to_bytes(groupsPerRow);
+        if (rowSize < 0)
+            return -1;
         padding = (rowSize % alignment);
         if (padding) {
             rowSize += alignment - padding;
         }
-        return ((h + skipRows) * rowSize);
+
+        return safe_mul(safe_add(h, skipRows), rowSize);
     }
     else {
         switch (format) {
@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum typ
         default:
             return -1;
         }
+        /* known safe by the switches above, not checked */
         groupSize = bytesPerElement * elementsPerGroup;
         if (rowLength > 0) {
             groupsPerRow = rowLength;
@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum typ
         else {
             groupsPerRow = w;
         }
-        rowSize = groupsPerRow * groupSize;
+
+        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+            return -1;
         padding = (rowSize % alignment);
         if (padding) {
             rowSize += alignment - padding;
         }
-        if (imageHeight > 0) {
-            imageSize = (imageHeight + skipRows) * rowSize;
-        }
-        else {
-            imageSize = (h + skipRows) * rowSize;
-        }
-        return ((d + skipImages) * imageSize);
+
+        if (imageHeight > 0)
+            h = imageHeight;
+        h = safe_add(h, skipRows);
+
+        imageSize = safe_mul(h, rowSize);
+
+        return safe_mul(safe_add(d, skipImages), imageSize);
     }
 }
 
@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLby
     /* XXX Should rowLength be used for either or both image? */
     image1size = __glXImageSize(format, type, 0, w, 1, 1,
                                 0, rowLength, 0, 0, alignment);
-    image1size = __GLX_PAD(image1size);
     image2size = __glXImageSize(format, type, 0, h, 1, 1,
                                 0, rowLength, 0, 0, alignment);
-    return image1size + image2size;
-
+    return safe_add(safe_pad(image1size), image2size);
 }
Commit	Line	Data
7217e0ca ML	1	From 84caa119e859d66e1a8368f265c16769e44e3291 Mon Sep 17 00:00:00 2001
	2	From: Adam Jackson <ajax@redhat.com>
	3	Date: Mon, 10 Nov 2014 12:13:42 -0500
	4	Subject: [PATCH 26/33] glx: Integer overflow protection for non-generated
	5	render requests (v3) [CVE-2014-8093 5/6]
	6
	7	v2:
	8	Fix constants in __glXMap2fReqSize (Michal Srb)
	9	Validate w/h/d for proxy targets too (Keith Packard)
	10
	11	v3:
	12	Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
	13
	14	Reviewed-by: Keith Packard <keithp@keithp.com>
	15	Reviewed-by: Michal Srb <msrb@suse.com>
	16	Reviewed-by: Andy Ritger <aritger@nvidia.com>
	17	Signed-off-by: Adam Jackson <ajax@redhat.com>
	18	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	19	---
	20	glx/rensize.c \| 77 ++++++++++++++++++++++++++++++---------------------------
	21	1 file changed, 41 insertions(+), 36 deletions(-)
	22
7217e0ca ML	23	--- a/glx/rensize.c
	24	+++ b/glx/rensize.c
	25	@@ -43,19 +43,11 @@
	26	(((a & 0xff000000U)>>24) \| ((a & 0xff0000U)>>8) \| \
	27	((a & 0xff00U)<<8) \| ((a & 0xffU)<<24))
	28
	29	-static int
	30	-Map1Size(GLint k, GLint order)
	31	-{
	32	- if (order <= 0 \|\| k < 0)
	33	- return -1;
	34	- return k * order;
	35	-}
	36	-
	37	int
	38	__glXMap1dReqSize(const GLbyte * pc, Bool swap)
	39	{
	40	GLenum target;
	41	- GLint order, k;
	42	+ GLint order;
	43
	44	target = (GLenum ) (pc + 16);
	45	order = (GLint ) (pc + 20);
4db25562	46	@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Boo
7217e0ca ML	47	target = SWAPL(target);
	48	order = SWAPL(order);
	49	}
	50	- k = __glMap1d_size(target);
	51	- return 8 * Map1Size(k, order);
	52	+ if (order < 1)
	53	+ return -1;
	54	+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
	55	}
	56
	57	int
	58	__glXMap1fReqSize(const GLbyte * pc, Bool swap)
	59	{
	60	GLenum target;
	61	- GLint order, k;
	62	+ GLint order;
	63
	64	target = (GLenum ) (pc + 0);
	65	order = (GLint ) (pc + 12);
4db25562	66	@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Boo
7217e0ca ML	67	target = SWAPL(target);
	68	order = SWAPL(order);
	69	}
	70	- k = __glMap1f_size(target);
	71	- return 4 * Map1Size(k, order);
	72	+ if (order < 1)
	73	+ return -1;
	74	+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
	75	}
	76
	77	static int
	78	Map2Size(int k, int majorOrder, int minorOrder)
	79	{
	80	- if (majorOrder <= 0 \|\| minorOrder <= 0 \|\| k < 0)
	81	+ if (majorOrder < 1 \|\| minorOrder < 1)
	82	return -1;
	83	- return k * majorOrder * minorOrder;
	84	+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
	85	}
	86
	87	int
	88	__glXMap2dReqSize(const GLbyte * pc, Bool swap)
	89	{
	90	GLenum target;
	91	- GLint uorder, vorder, k;
	92	+ GLint uorder, vorder;
	93
	94	target = (GLenum ) (pc + 32);
	95	uorder = (GLint ) (pc + 36);
4db25562	96	@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Boo
7217e0ca ML	97	uorder = SWAPL(uorder);
	98	vorder = SWAPL(vorder);
	99	}
	100	- k = __glMap2d_size(target);
	101	- return 8 * Map2Size(k, uorder, vorder);
	102	+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
	103	}
	104
	105	int
	106	__glXMap2fReqSize(const GLbyte * pc, Bool swap)
	107	{
	108	GLenum target;
	109	- GLint uorder, vorder, k;
	110	+ GLint uorder, vorder;
	111
	112	target = (GLenum ) (pc + 0);
	113	uorder = (GLint ) (pc + 12);
4db25562	114	@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Boo
7217e0ca ML	115	uorder = SWAPL(uorder);
	116	vorder = SWAPL(vorder);
	117	}
	118	- k = __glMap2f_size(target);
	119	- return 4 * Map2Size(k, uorder, vorder);
	120	+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
	121	}
	122
	123	/**
4db25562	124	@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum typ
7217e0ca ML	125	GLint bytesPerElement, elementsPerGroup, groupsPerRow;
	126	GLint groupSize, rowSize, padding, imageSize;
	127
	128	+ if (w == 0 \|\| h == 0 \|\| d == 0)
	129	+ return 0;
	130	+
	131	if (w < 0 \|\| h < 0 \|\| d < 0 \|\|
	132	(type == GL_BITMAP &&
	133	(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
	134	return -1;
	135	}
	136	- if (w == 0 \|\| h == 0 \|\| d == 0)
	137	- return 0;
	138
	139	+ /* proxy targets have no data */
	140	switch (target) {
	141	case GL_PROXY_TEXTURE_1D:
	142	case GL_PROXY_TEXTURE_2D:
4db25562	143	@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum typ
7217e0ca ML	144	return 0;
	145	}
	146
	147	+ /* real data has to have real sizes */
	148	+ if (imageHeight < 0 \|\| rowLength < 0 \|\| skipImages < 0 \|\| skipRows < 0)
	149	+ return -1;
	150	+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
	151	+ return -1;
	152	+
	153	if (type == GL_BITMAP) {
	154	if (rowLength > 0) {
	155	groupsPerRow = rowLength;
4db25562	156	@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum typ
7217e0ca ML	157	groupsPerRow = w;
	158	}
	159	rowSize = bits_to_bytes(groupsPerRow);
	160	+ if (rowSize < 0)
	161	+ return -1;
	162	padding = (rowSize % alignment);
	163	if (padding) {
	164	rowSize += alignment - padding;
	165	}
	166	- return ((h + skipRows) * rowSize);
	167	+
	168	+ return safe_mul(safe_add(h, skipRows), rowSize);
	169	}
	170	else {
	171	switch (format) {
4db25562	172	@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum typ
7217e0ca ML	173	default:
	174	return -1;
	175	}
	176	+ /* known safe by the switches above, not checked */
	177	groupSize = bytesPerElement * elementsPerGroup;
	178	if (rowLength > 0) {
	179	groupsPerRow = rowLength;
4db25562	180	@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum typ
7217e0ca ML	181	else {
	182	groupsPerRow = w;
	183	}
	184	- rowSize = groupsPerRow * groupSize;
	185	+
	186	+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
	187	+ return -1;
	188	padding = (rowSize % alignment);
	189	if (padding) {
	190	rowSize += alignment - padding;
	191	}
	192	- if (imageHeight > 0) {
	193	- imageSize = (imageHeight + skipRows) * rowSize;
	194	- }
	195	- else {
	196	- imageSize = (h + skipRows) * rowSize;
	197	- }
	198	- return ((d + skipImages) * imageSize);
	199	+
	200	+ if (imageHeight > 0)
	201	+ h = imageHeight;
	202	+ h = safe_add(h, skipRows);
	203	+
	204	+ imageSize = safe_mul(h, rowSize);
	205	+
	206	+ return safe_mul(safe_add(d, skipImages), imageSize);
	207	}
	208	}
	209
4db25562	210	@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLby
7217e0ca ML	211	/* XXX Should rowLength be used for either or both image? */
	212	image1size = __glXImageSize(format, type, 0, w, 1, 1,
	213	0, rowLength, 0, 0, alignment);
	214	- image1size = __GLX_PAD(image1size);
	215	image2size = __glXImageSize(format, type, 0, h, 1, 1,
	216	0, rowLength, 0, 0, alignment);
	217	- return image1size + image2size;
	218	-
	219	+ return safe_add(safe_pad(image1size), image2size);
	220	}