1 From 902b6a30c660f4b38afd936726071b631ada3fcf Mon Sep 17 00:00:00 2001
2 From: Adam Jackson <ajax@redhat.com>
3 Date: Mon, 10 Nov 2014 12:13:38 -0500
4 Subject: [PATCH 22/33] glx: Additional paranoia in __glXGetAnswerBuffer /
5 __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
7 If the computed reply size is negative, something went wrong, treat it
10 v2: Be more careful about size_t being unsigned (Matthieu Herrb)
11 v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
13 Reviewed-by: Julien Cristau <jcristau@debian.org>
14 Reviewed-by: Michal Srb <msrb@suse.com>
15 Reviewed-by: Andy Ritger <aritger@nvidia.com>
16 Signed-off-by: Adam Jackson <ajax@redhat.com>
17 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
19 glx/indirect_util.c | 7 ++++++-
21 2 files changed, 8 insertions(+), 2 deletions(-)
23 diff --git a/glx/indirect_util.c b/glx/indirect_util.c
24 index 926e57c..de81491 100644
25 --- a/glx/indirect_util.c
26 +++ b/glx/indirect_util.c
27 @@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
28 const unsigned mask = alignment - 1;
30 if (local_size < required_size) {
31 - const size_t worst_case_size = required_size + alignment;
32 + size_t worst_case_size;
35 + if (required_size < SIZE_MAX - alignment)
36 + worst_case_size = required_size + alignment;
40 if (cl->returnBufSize < worst_case_size) {
41 void *temp = realloc(cl->returnBuf, worst_case_size);
43 diff --git a/glx/unpack.h b/glx/unpack.h
44 index 52fba74..2b1ebcf 100644
47 @@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
50 #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
51 - if ((size) > sizeof(answerBuffer)) { \
52 + if (size < 0) return BadLength; \
53 + else if ((size) > sizeof(answerBuffer)) { \
55 if ((cl)->returnBufSize < (size)+(align)) { \
56 (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \