debian/patches/CVE-2014-8xxx/0025-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch

   1 From 02f91446a5446d7287a0fc30aa8b15a1cd29c2cf Mon Sep 17 00:00:00 2001
   2 From: Julien Cristau <jcristau@debian.org>
   3 Date: Mon, 10 Nov 2014 12:13:41 -0500
   4 Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2)
   5  [CVE-2014-8098 2/8]
   6
   7 v2:
   8 Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
   9
  10 Reviewed-by: Adam Jackson <ajax@redhat.com>
  11 Reviewed-by: Michal Srb <msrb@suse.com>
  12 Reviewed-by: Andy Ritger <aritger@nvidia.com>
  13 Signed-off-by: Julien Cristau <jcristau@debian.org>
  14 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  15 ---
  16  glx/glxcmds.c |   21 ++++++++++-----------
  17  1 file changed, 10 insertions(+), 11 deletions(-)
  18
  19 Index: xorg-server-1.15.1/glx/glxcmds.c
  20 ===================================================================
  21 --- xorg-server-1.15.1.orig/glx/glxcmds.c       2014-12-04 11:56:07.897284200 -0500
  22 +++ xorg-server-1.15.1/glx/glxcmds.c    2014-12-04 11:56:07.893284176 -0500
  23 @@ -2015,7 +2015,7 @@
  24      left = (req->length << 2) - sz_xGLXRenderReq;
  25      while (left > 0) {
  26          __GLXrenderSizeData entry;
  27 -        int extra;
  28 +        int extra = 0;
  29          __GLXdispatchRenderProcPtr proc;
  30          int err;
  31
  32 @@ -2034,6 +2034,9 @@
  33          cmdlen = hdr->length;
  34          opcode = hdr->opcode;
  35
  36 +        if (left < cmdlen)
  37 +            return BadLength;
  38 +
  39          /*
  40           ** Check for core opcodes and grab entry data.
  41           */
  42 @@ -2047,6 +2050,10 @@
  43              return __glXError(GLXBadRenderRequest);
  44          }
  45
  46 +        if (cmdlen < entry.bytes) {
  47 +            return BadLength;
  48 +        }
  49 +
  50          if (entry.varsize) {
  51              /* variable size command */
  52              extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
  53 @@ -2054,17 +2061,9 @@
  54              if (extra < 0) {
  55                  return BadLength;
  56              }
  57 -            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
  58 -                return BadLength;
  59 -            }
  60          }
  61 -        else {
  62 -            /* constant size command */
  63 -            if (cmdlen != __GLX_PAD(entry.bytes)) {
  64 -                return BadLength;
  65 -            }
  66 -        }
  67 -        if (left < cmdlen) {
  68 +
  69 +        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
  70              return BadLength;
  71          }
  72