[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0029-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch

From 554e382ba7aae961ca88c75edb1caffb5d00e9f6 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:45 -0500
Subject: [PATCH 29/33] glx: Request length checks for SetClientInfoARB
 [CVE-2014-8098 5/8]

Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 glx/clientinfo.c |   19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/glx/clientinfo.c b/glx/clientinfo.c
index 4aaa4c9..c5fef30 100644
--- a/glx/clientinfo.c
+++ b/glx/clientinfo.c
@@ -33,18 +33,21 @@ static int
 set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
                 unsigned bytes_per_version)
 {
+    ClientPtr client = cl->client;
     char *gl_extensions;
     char *glx_extensions;
 
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
     /* Verify that the size of the packet matches the size inferred from the
      * sizes specified for the various fields.
      */
-    const unsigned expected_size = sz_xGLXSetClientInfoARBReq
-        + (req->numVersions * bytes_per_version)
-        + __GLX_PAD(req->numGLExtensionBytes)
-        + __GLX_PAD(req->numGLXExtensionBytes);
+    int size = sz_xGLXSetClientInfoARBReq;
+    size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
+    size = safe_add(size, safe_pad(req->numGLExtensionBytes));
+    size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
 
-    if (req->length != (expected_size / 4))
+    if (size < 0 || req->length != (size / 4))
         return BadLength;
 
     /* Verify that the actual length of the GL extension string matches what's
@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
     req->length = bswap_16(req->length);
     req->numVersions = bswap_32(req->numVersions);
     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
 int
 __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
 {
+    ClientPtr client = cl->client;
     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
 
+    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
     req->length = bswap_16(req->length);
     req->numVersions = bswap_32(req->numVersions);
     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
-- 
1.7.9.2
Commit	Line	Data
7217e0ca ML	1	From 554e382ba7aae961ca88c75edb1caffb5d00e9f6 Mon Sep 17 00:00:00 2001
	2	From: Adam Jackson <ajax@redhat.com>
	3	Date: Mon, 10 Nov 2014 12:13:45 -0500
	4	Subject: [PATCH 29/33] glx: Request length checks for SetClientInfoARB
	5	[CVE-2014-8098 5/8]
	6
	7	Reviewed-by: Keith Packard <keithp@keithp.com>
	8	Reviewed-by: Julien Cristau <jcristau@debian.org>
	9	Reviewed-by: Michal Srb <msrb@suse.com>
	10	Reviewed-by: Andy Ritger <aritger@nvidia.com>
	11	Signed-off-by: Adam Jackson <ajax@redhat.com>
	12	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	13	---
	14	glx/clientinfo.c \| 19 ++++++++++++++-----
	15	1 file changed, 14 insertions(+), 5 deletions(-)
	16
	17	diff --git a/glx/clientinfo.c b/glx/clientinfo.c
	18	index 4aaa4c9..c5fef30 100644
	19	--- a/glx/clientinfo.c
	20	+++ b/glx/clientinfo.c
	21	@@ -33,18 +33,21 @@ static int
	22	set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
	23	unsigned bytes_per_version)
	24	{
	25	+ ClientPtr client = cl->client;
	26	char *gl_extensions;
	27	char *glx_extensions;
	28
	29	+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
	30	+
	31	/* Verify that the size of the packet matches the size inferred from the
	32	* sizes specified for the various fields.
	33	*/
	34	- const unsigned expected_size = sz_xGLXSetClientInfoARBReq
	35	- + (req->numVersions * bytes_per_version)
	36	- + __GLX_PAD(req->numGLExtensionBytes)
	37	- + __GLX_PAD(req->numGLXExtensionBytes);
	38	+ int size = sz_xGLXSetClientInfoARBReq;
	39	+ size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
	40	+ size = safe_add(size, safe_pad(req->numGLExtensionBytes));
	41	+ size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
	42
	43	- if (req->length != (expected_size / 4))
	44	+ if (size < 0 \|\| req->length != (size / 4))
	45	return BadLength;
	46
	47	/* Verify that the actual length of the GL extension string matches what's
	48	@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
	49	int
	50	__glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
	51	{
	52	+ ClientPtr client = cl->client;
	53	xGLXSetClientInfoARBReq req = (xGLXSetClientInfoARBReq ) pc;
	54
	55	+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
	56	+
	57	req->length = bswap_16(req->length);
	58	req->numVersions = bswap_32(req->numVersions);
	59	req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
	60	@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
	61	int
	62	__glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
	63	{
	64	+ ClientPtr client = cl->client;
65	xGLXSetClientInfoARBReq req = (xGLXSetClientInfoARBReq ) pc;
66
67	+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
68	+
69	req->length = bswap_16(req->length);
70	req->numVersions = bswap_32(req->numVersions);
71	req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
72	--
73	1.7.9.2
74