debian/patches/CVE-2014-8xxx/0024-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6.patch

   1 From 13f54e513024fc8224065515d9c664135aba1848 Mon Sep 17 00:00:00 2001
   2 From: Adam Jackson <ajax@redhat.com>
   3 Date: Mon, 10 Nov 2014 12:13:40 -0500
   4 Subject: [PATCH 24/33] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
   5
   6 These are paranoid about integer overflow, and will return -1 if their
   7 operation would overflow a (signed) integer or if either argument is
   8 negative.
   9
  10 Note that RenderLarge requests are sized with a uint32_t so in principle
  11 this could be sketchy there, but dix limits bigreqs to 128M so you
  12 shouldn't ever notice, and honestly if you're sending more than 2G of
  13 rendering commands you're already doing something very wrong.
  14
  15 v2: Use INT_MAX for consistency with the rest of the server (jcristau)
  16 v3: Reject negative arguments (anholt)
  17
  18 Reviewed-by: Keith Packard <keithp@keithp.com>
  19 Reviewed-by: Julien Cristau <jcristau@debian.org>
  20 Reviewed-by: Michal Srb <msrb@suse.com>
  21 Reviewed-by: Andy Ritger <aritger@nvidia.com>
  22 Signed-off-by: Adam Jackson <ajax@redhat.com>
  23 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  24 ---
  25  glx/glxserver.h |   41 +++++++++++++++++++++++++++++++++++++++++
  26  1 file changed, 41 insertions(+)
  27
  28 --- a/glx/glxserver.h
  29 +++ b/glx/glxserver.h
  30 @@ -230,6 +230,47 @@ extern void glxSwapQueryServerStringRepl
  31   * Routines for computing the size of variably-sized rendering commands.
  32   */
  33
  34 +static _X_INLINE int
  35 +safe_add(int a, int b)
  36 +{
  37 +    if (a < 0 || b < 0)
  38 +        return -1;
  39 +
  40 +    if (INT_MAX - a < b)
  41 +        return -1;
  42 +
  43 +    return a + b;
  44 +}
  45 +
  46 +static _X_INLINE int
  47 +safe_mul(int a, int b)
  48 +{
  49 +    if (a < 0 || b < 0)
  50 +        return -1;
  51 +
  52 +    if (a == 0 || b == 0)
  53 +        return 0;
  54 +
  55 +    if (a > INT_MAX / b)
  56 +        return -1;
  57 +
  58 +    return a * b;
  59 +}
  60 +
  61 +static _X_INLINE int
  62 +safe_pad(int a)
  63 +{
  64 +    int ret;
  65 +
  66 +    if (a < 0)
  67 +        return -1;
  68 +
  69 +    if ((ret = safe_add(a, 3)) < 0)
  70 +        return -1;
  71 +
  72 +    return ret & (GLuint)~3;
  73 +}
  74 +
  75  extern int __glXTypeSize(GLenum enm);
  76  extern int __glXImageSize(GLenum format, GLenum type,
  77                            GLenum target, GLsizei w, GLsizei h, GLsizei d,