1 From 902b6a30c660f4b38afd936726071b631ada3fcf Mon Sep 17 00:00:00 2001
2 From: Adam Jackson <ajax@redhat.com>
3 Date: Mon, 10 Nov 2014 12:13:38 -0500
4 Subject: [PATCH 22/33] glx: Additional paranoia in __glXGetAnswerBuffer /
5 __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
7 If the computed reply size is negative, something went wrong, treat it
10 v2: Be more careful about size_t being unsigned (Matthieu Herrb)
11 v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
13 Reviewed-by: Julien Cristau <jcristau@debian.org>
14 Reviewed-by: Michal Srb <msrb@suse.com>
15 Reviewed-by: Andy Ritger <aritger@nvidia.com>
16 Signed-off-by: Adam Jackson <ajax@redhat.com>
17 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
19 glx/indirect_util.c | 7 ++++++-
21 2 files changed, 8 insertions(+), 2 deletions(-)
23 --- a/glx/indirect_util.c
24 +++ b/glx/indirect_util.c
25 @@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState *
26 const unsigned mask = alignment - 1;
28 if (local_size < required_size) {
29 - const size_t worst_case_size = required_size + alignment;
30 + size_t worst_case_size;
33 + if (required_size < SIZE_MAX - alignment)
34 + worst_case_size = required_size + alignment;
38 if (cl->returnBufSize < worst_case_size) {
39 void *temp = realloc(cl->returnBuf, worst_case_size);
43 @@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
46 #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
47 - if ((size) > sizeof(answerBuffer)) { \
48 + if (size < 0) return BadLength; \
49 + else if ((size) > sizeof(answerBuffer)) { \
51 if ((cl)->returnBufSize < (size)+(align)) { \
52 (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \