1 From 096a5af8e52faafc38ae84dd17bede7ac03a3b83 Mon Sep 17 00:00:00 2001
2 From: Adam Jackson <ajax@redhat.com>
3 Date: Mon, 10 Nov 2014 12:13:36 -0500
4 Subject: [PATCH 20/33] glx: Be more paranoid about variable-length requests
7 If the size computation routine returns -1 we should just reject the
8 request outright. Clamping it to zero could give an attacker the
9 opportunity to also mangle cmdlen in such a way that the subsequent
10 length check passes, and the request would get executed, thus passing
11 data we wanted to reject to the renderer.
13 Reviewed-by: Keith Packard <keithp@keithp.com>
14 Reviewed-by: Julien Cristau <jcristau@debian.org>
15 Reviewed-by: Michal Srb <msrb@suse.com>
16 Reviewed-by: Andy Ritger <aritger@nvidia.com>
17 Signed-off-by: Adam Jackson <ajax@redhat.com>
18 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
20 glx/glxcmds.c | 4 ++--
21 1 file changed, 2 insertions(+), 2 deletions(-)
23 Index: xorg-server-1.15.1/glx/glxcmds.c
24 ===================================================================
25 --- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:55:22.293001486 -0500
26 +++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:55:22.289001461 -0500
28 extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
34 if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
37 extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
43 /* large command's header is 4 bytes longer, so add 4 */
44 if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
repositories / deb_xorg-server.git / blob