repositories / deb_xorg-server.git / blame
| Commit | Line | Data |
|---|---|---|
| 7217e0ca ML |
1 | From a7c63d6599067dc8ff0d114536d2db3fadb4e195 Mon Sep 17 00:00:00 2001 |
| 2 | From: Robert Morell <rmorell@nvidia.com> | |
| 3 | Date: Wed, 12 Nov 2014 18:51:43 -0800 | |
| 4 | Subject: [PATCH 33/33] glx: Fix mask truncation in __glXGetAnswerBuffer | |
| 5 | [CVE-2014-8093 6/6] | |
| 6 | ||
| 7 | On a system where sizeof(unsigned) != sizeof(intptr_t), the unary | |
| 8 | bitwise not operation will result in a mask that clears all high bits | |
| 9 | from temp_buf in the expression: | |
| 10 | temp_buf = (temp_buf + mask) & ~mask; | |
| 11 | ||
| 12 | Signed-off-by: Robert Morell <rmorell@nvidia.com> | |
| 13 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
| 14 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
| 15 | --- | |
| 16 | glx/indirect_util.c | 2 +- | |
| 17 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
| 18 | ||
| 7217e0ca ML |
19 | --- a/glx/indirect_util.c |
| 20 | +++ b/glx/indirect_util.c | |
| 4db25562 | 21 | @@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * |
| 7217e0ca ML |
22 | void *local_buffer, size_t local_size, unsigned alignment) |
| 23 | { | |
| 24 | void *buffer = local_buffer; | |
| 25 | - const unsigned mask = alignment - 1; | |
| 26 | + const intptr_t mask = alignment - 1; | |
| 27 | ||
| 28 | if (local_size < required_size) { | |
| 29 | size_t worst_case_size; |