[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0026-glx-Integer-overflow-protection-for-non-generated-re.patch

From 84caa119e859d66e1a8368f265c16769e44e3291 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:42 -0500
Subject: [PATCH 26/33] glx: Integer overflow protection for non-generated
 render requests (v3) [CVE-2014-8093 5/6]

v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)

v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)

Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 glx/rensize.c |   77 ++++++++++++++++++++++++++++++---------------------------
 1 file changed, 41 insertions(+), 36 deletions(-)

diff --git a/glx/rensize.c b/glx/rensize.c
index 9ff73c7..d46334a 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -43,19 +43,11 @@
   (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
    ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
 
-static int
-Map1Size(GLint k, GLint order)
-{
-    if (order <= 0 || k < 0)
-        return -1;
-    return k * order;
-}
-
 int
 __glXMap1dReqSize(const GLbyte * pc, Bool swap)
 {
     GLenum target;
-    GLint order, k;
+    GLint order;
 
     target = *(GLenum *) (pc + 16);
     order = *(GLint *) (pc + 20);
@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
         target = SWAPL(target);
         order = SWAPL(order);
     }
-    k = __glMap1d_size(target);
-    return 8 * Map1Size(k, order);
+    if (order < 1)
+        return -1;
+    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
 }
 
 int
 __glXMap1fReqSize(const GLbyte * pc, Bool swap)
 {
     GLenum target;
-    GLint order, k;
+    GLint order;
 
     target = *(GLenum *) (pc + 0);
     order = *(GLint *) (pc + 12);
@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
         target = SWAPL(target);
         order = SWAPL(order);
     }
-    k = __glMap1f_size(target);
-    return 4 * Map1Size(k, order);
+    if (order < 1)
+        return -1;
+    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
 }
 
 static int
 Map2Size(int k, int majorOrder, int minorOrder)
 {
-    if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+    if (majorOrder < 1 || minorOrder < 1)
         return -1;
-    return k * majorOrder * minorOrder;
+    return safe_mul(k, safe_mul(majorOrder, minorOrder));
 }
 
 int
 __glXMap2dReqSize(const GLbyte * pc, Bool swap)
 {
     GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
 
     target = *(GLenum *) (pc + 32);
     uorder = *(GLint *) (pc + 36);
@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
         uorder = SWAPL(uorder);
         vorder = SWAPL(vorder);
     }
-    k = __glMap2d_size(target);
-    return 8 * Map2Size(k, uorder, vorder);
+    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
 }
 
 int
 __glXMap2fReqSize(const GLbyte * pc, Bool swap)
 {
     GLenum target;
-    GLint uorder, vorder, k;
+    GLint uorder, vorder;
 
     target = *(GLenum *) (pc + 0);
     uorder = *(GLint *) (pc + 12);
@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
         uorder = SWAPL(uorder);
         vorder = SWAPL(vorder);
     }
-    k = __glMap2f_size(target);
-    return 4 * Map2Size(k, uorder, vorder);
+    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
 }
 
 /**
@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
     GLint bytesPerElement, elementsPerGroup, groupsPerRow;
     GLint groupSize, rowSize, padding, imageSize;
 
+    if (w == 0 || h == 0 || d == 0)
+        return 0;
+
     if (w < 0 || h < 0 || d < 0 ||
         (type == GL_BITMAP &&
          (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
         return -1;
     }
-    if (w == 0 || h == 0 || d == 0)
-        return 0;
 
+    /* proxy targets have no data */
     switch (target) {
     case GL_PROXY_TEXTURE_1D:
     case GL_PROXY_TEXTURE_2D:
@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         return 0;
     }
 
+    /* real data has to have real sizes */
+    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+        return -1;
+    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+        return -1;
+
     if (type == GL_BITMAP) {
         if (rowLength > 0) {
             groupsPerRow = rowLength;
@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
             groupsPerRow = w;
         }
         rowSize = bits_to_bytes(groupsPerRow);
+        if (rowSize < 0)
+            return -1;
         padding = (rowSize % alignment);
         if (padding) {
             rowSize += alignment - padding;
         }
-        return ((h + skipRows) * rowSize);
+
+        return safe_mul(safe_add(h, skipRows), rowSize);
     }
     else {
         switch (format) {
@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         default:
             return -1;
         }
+        /* known safe by the switches above, not checked */
         groupSize = bytesPerElement * elementsPerGroup;
         if (rowLength > 0) {
             groupsPerRow = rowLength;
@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
         else {
             groupsPerRow = w;
         }
-        rowSize = groupsPerRow * groupSize;
+
+        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+            return -1;
         padding = (rowSize % alignment);
         if (padding) {
             rowSize += alignment - padding;
         }
-        if (imageHeight > 0) {
-            imageSize = (imageHeight + skipRows) * rowSize;
-        }
-        else {
-            imageSize = (h + skipRows) * rowSize;
-        }
-        return ((d + skipImages) * imageSize);
+
+        if (imageHeight > 0)
+            h = imageHeight;
+        h = safe_add(h, skipRows);
+
+        imageSize = safe_mul(h, rowSize);
+
+        return safe_mul(safe_add(d, skipImages), imageSize);
     }
 }
 
@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
     /* XXX Should rowLength be used for either or both image? */
     image1size = __glXImageSize(format, type, 0, w, 1, 1,
                                 0, rowLength, 0, 0, alignment);
-    image1size = __GLX_PAD(image1size);
     image2size = __glXImageSize(format, type, 0, h, 1, 1,
                                 0, rowLength, 0, 0, alignment);
-    return image1size + image2size;
-
+    return safe_add(safe_pad(image1size), image2size);
 }
-- 
1.7.9.2
Commit	Line	Data
7217e0ca ML	1	From 84caa119e859d66e1a8368f265c16769e44e3291 Mon Sep 17 00:00:00 2001
	2	From: Adam Jackson <ajax@redhat.com>
	3	Date: Mon, 10 Nov 2014 12:13:42 -0500
	4	Subject: [PATCH 26/33] glx: Integer overflow protection for non-generated
	5	render requests (v3) [CVE-2014-8093 5/6]
	6
	7	v2:
	8	Fix constants in __glXMap2fReqSize (Michal Srb)
	9	Validate w/h/d for proxy targets too (Keith Packard)
	10
	11	v3:
	12	Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
	13
	14	Reviewed-by: Keith Packard <keithp@keithp.com>
	15	Reviewed-by: Michal Srb <msrb@suse.com>
	16	Reviewed-by: Andy Ritger <aritger@nvidia.com>
	17	Signed-off-by: Adam Jackson <ajax@redhat.com>
	18	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	19	---
	20	glx/rensize.c \| 77 ++++++++++++++++++++++++++++++---------------------------
	21	1 file changed, 41 insertions(+), 36 deletions(-)
	22
	23	diff --git a/glx/rensize.c b/glx/rensize.c
	24	index 9ff73c7..d46334a 100644
	25	--- a/glx/rensize.c
	26	+++ b/glx/rensize.c
	27	@@ -43,19 +43,11 @@
	28	(((a & 0xff000000U)>>24) \| ((a & 0xff0000U)>>8) \| \
	29	((a & 0xff00U)<<8) \| ((a & 0xffU)<<24))
	30
	31	-static int
	32	-Map1Size(GLint k, GLint order)
	33	-{
	34	- if (order <= 0 \|\| k < 0)
	35	- return -1;
	36	- return k * order;
	37	-}
	38	-
	39	int
	40	__glXMap1dReqSize(const GLbyte * pc, Bool swap)
	41	{
	42	GLenum target;
	43	- GLint order, k;
	44	+ GLint order;
	45
	46	target = (GLenum ) (pc + 16);
	47	order = (GLint ) (pc + 20);
	48	@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
	49	target = SWAPL(target);
	50	order = SWAPL(order);
	51	}
	52	- k = __glMap1d_size(target);
	53	- return 8 * Map1Size(k, order);
	54	+ if (order < 1)
	55	+ return -1;
	56	+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
	57	}
	58
	59	int
	60	__glXMap1fReqSize(const GLbyte * pc, Bool swap)
	61	{
	62	GLenum target;
	63	- GLint order, k;
	64	+ GLint order;
65
66	target = (GLenum ) (pc + 0);
67	order = (GLint ) (pc + 12);
68	@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
69	target = SWAPL(target);
70	order = SWAPL(order);
71	}
72	- k = __glMap1f_size(target);
73	- return 4 * Map1Size(k, order);
74	+ if (order < 1)
75	+ return -1;
76	+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
77	}
78
79	static int
80	Map2Size(int k, int majorOrder, int minorOrder)
81	{
82	- if (majorOrder <= 0 \|\| minorOrder <= 0 \|\| k < 0)
83	+ if (majorOrder < 1 \|\| minorOrder < 1)
84	return -1;
85	- return k * majorOrder * minorOrder;
86	+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
87	}
88
89	int
90	__glXMap2dReqSize(const GLbyte * pc, Bool swap)
91	{
92	GLenum target;
93	- GLint uorder, vorder, k;
94	+ GLint uorder, vorder;
95
96	target = (GLenum ) (pc + 32);
97	uorder = (GLint ) (pc + 36);
98	@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
99	uorder = SWAPL(uorder);
100	vorder = SWAPL(vorder);
101	}
102	- k = __glMap2d_size(target);
103	- return 8 * Map2Size(k, uorder, vorder);
104	+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
105	}
106
107	int
108	__glXMap2fReqSize(const GLbyte * pc, Bool swap)
109	{
110	GLenum target;
111	- GLint uorder, vorder, k;
112	+ GLint uorder, vorder;
113
114	target = (GLenum ) (pc + 0);
115	uorder = (GLint ) (pc + 12);
116	@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
117	uorder = SWAPL(uorder);
118	vorder = SWAPL(vorder);
119	}
120	- k = __glMap2f_size(target);
121	- return 4 * Map2Size(k, uorder, vorder);
122	+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
123	}
124
125	/**
126	@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
127	GLint bytesPerElement, elementsPerGroup, groupsPerRow;
128	GLint groupSize, rowSize, padding, imageSize;
129
130	+ if (w == 0 \|\| h == 0 \|\| d == 0)
131	+ return 0;
132	+
133	if (w < 0 \|\| h < 0 \|\| d < 0 \|\|
134	(type == GL_BITMAP &&
135	(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
136	return -1;
137	}
138	- if (w == 0 \|\| h == 0 \|\| d == 0)
139	- return 0;
140
141	+ /* proxy targets have no data */
142	switch (target) {
143	case GL_PROXY_TEXTURE_1D:
144	case GL_PROXY_TEXTURE_2D:
145	@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
146	return 0;
147	}
148
149	+ /* real data has to have real sizes */
150	+ if (imageHeight < 0 \|\| rowLength < 0 \|\| skipImages < 0 \|\| skipRows < 0)
151	+ return -1;
152	+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
153	+ return -1;
154	+
155	if (type == GL_BITMAP) {
156	if (rowLength > 0) {
157	groupsPerRow = rowLength;
158	@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
159	groupsPerRow = w;
160	}
161	rowSize = bits_to_bytes(groupsPerRow);
162	+ if (rowSize < 0)
163	+ return -1;
164	padding = (rowSize % alignment);
165	if (padding) {
166	rowSize += alignment - padding;
167	}
168	- return ((h + skipRows) * rowSize);
169	+
170	+ return safe_mul(safe_add(h, skipRows), rowSize);
171	}
172	else {
173	switch (format) {
174	@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
175	default:
176	return -1;
177	}
178	+ /* known safe by the switches above, not checked */
179	groupSize = bytesPerElement * elementsPerGroup;
180	if (rowLength > 0) {
181	groupsPerRow = rowLength;
182	@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
183	else {
184	groupsPerRow = w;
185	}
186	- rowSize = groupsPerRow * groupSize;
187	+
188	+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
189	+ return -1;
190	padding = (rowSize % alignment);
191	if (padding) {
192	rowSize += alignment - padding;
193	}
194	- if (imageHeight > 0) {
195	- imageSize = (imageHeight + skipRows) * rowSize;
196	- }
197	- else {
198	- imageSize = (h + skipRows) * rowSize;
199	- }
200	- return ((d + skipImages) * imageSize);
201	+
202	+ if (imageHeight > 0)
203	+ h = imageHeight;
204	+ h = safe_add(h, skipRows);
205	+
206	+ imageSize = safe_mul(h, rowSize);
207	+
208	+ return safe_mul(safe_add(d, skipImages), imageSize);
209	}
210	}
211
212	@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
213	/* XXX Should rowLength be used for either or both image? */
214	image1size = __glXImageSize(format, type, 0, w, 1, 1,
215	0, rowLength, 0, 0, alignment);
216	- image1size = __GLX_PAD(image1size);
217	image2size = __glXImageSize(format, type, 0, h, 1, 1,
218	0, rowLength, 0, 0, alignment);
219	- return image1size + image2size;
220	-
221	+ return safe_add(safe_pad(image1size), image2size);
222	}
223	--
224	1.7.9.2
225