Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 554e382ba7aae961ca88c75edb1caffb5d00e9f6 Mon Sep 17 00:00:00 2001 |
2 | From: Adam Jackson <ajax@redhat.com> | |
3 | Date: Mon, 10 Nov 2014 12:13:45 -0500 | |
4 | Subject: [PATCH 29/33] glx: Request length checks for SetClientInfoARB | |
5 | [CVE-2014-8098 5/8] | |
6 | ||
7 | Reviewed-by: Keith Packard <keithp@keithp.com> | |
8 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
9 | Reviewed-by: Michal Srb <msrb@suse.com> | |
10 | Reviewed-by: Andy Ritger <aritger@nvidia.com> | |
11 | Signed-off-by: Adam Jackson <ajax@redhat.com> | |
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
13 | --- | |
14 | glx/clientinfo.c | 19 ++++++++++++++----- | |
15 | 1 file changed, 14 insertions(+), 5 deletions(-) | |
16 | ||
7217e0ca ML |
17 | --- a/glx/clientinfo.c |
18 | +++ b/glx/clientinfo.c | |
19 | @@ -33,18 +33,21 @@ static int | |
20 | set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req, | |
21 | unsigned bytes_per_version) | |
22 | { | |
23 | + ClientPtr client = cl->client; | |
24 | char *gl_extensions; | |
25 | char *glx_extensions; | |
26 | ||
27 | + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); | |
28 | + | |
29 | /* Verify that the size of the packet matches the size inferred from the | |
30 | * sizes specified for the various fields. | |
31 | */ | |
32 | - const unsigned expected_size = sz_xGLXSetClientInfoARBReq | |
33 | - + (req->numVersions * bytes_per_version) | |
34 | - + __GLX_PAD(req->numGLExtensionBytes) | |
35 | - + __GLX_PAD(req->numGLXExtensionBytes); | |
36 | + int size = sz_xGLXSetClientInfoARBReq; | |
37 | + size = safe_add(size, safe_mul(req->numVersions, bytes_per_version)); | |
38 | + size = safe_add(size, safe_pad(req->numGLExtensionBytes)); | |
39 | + size = safe_add(size, safe_pad(req->numGLXExtensionBytes)); | |
40 | ||
41 | - if (req->length != (expected_size / 4)) | |
42 | + if (size < 0 || req->length != (size / 4)) | |
43 | return BadLength; | |
44 | ||
45 | /* Verify that the actual length of the GL extension string matches what's | |
4db25562 | 46 | @@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientSt |
7217e0ca ML |
47 | int |
48 | __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc) | |
49 | { | |
50 | + ClientPtr client = cl->client; | |
51 | xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc; | |
52 | ||
53 | + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); | |
54 | + | |
55 | req->length = bswap_16(req->length); | |
56 | req->numVersions = bswap_32(req->numVersions); | |
57 | req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes); | |
4db25562 | 58 | @@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientS |
7217e0ca ML |
59 | int |
60 | __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc) | |
61 | { | |
62 | + ClientPtr client = cl->client; | |
63 | xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc; | |
64 | ||
65 | + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); | |
66 | + | |
67 | req->length = bswap_16(req->length); | |
68 | req->numVersions = bswap_32(req->numVersions); | |
69 | req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes); |