debian/patches/CVE-2014-8xxx/0025-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch

   1 From 02f91446a5446d7287a0fc30aa8b15a1cd29c2cf Mon Sep 17 00:00:00 2001
   2 From: Julien Cristau <jcristau@debian.org>
   3 Date: Mon, 10 Nov 2014 12:13:41 -0500
   4 Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2)
   5  [CVE-2014-8098 2/8]
   6
   7 v2:
   8 Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
   9
  10 Reviewed-by: Adam Jackson <ajax@redhat.com>
  11 Reviewed-by: Michal Srb <msrb@suse.com>
  12 Reviewed-by: Andy Ritger <aritger@nvidia.com>
  13 Signed-off-by: Julien Cristau <jcristau@debian.org>
  14 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  15 ---
  16  glx/glxcmds.c |   21 ++++++++++-----------
  17  1 file changed, 10 insertions(+), 11 deletions(-)
  18
  19 --- a/glx/glxcmds.c
  20 +++ b/glx/glxcmds.c
  21 @@ -2015,7 +2015,7 @@ __glXDisp_Render(__GLXclientState * cl,
  22      left = (req->length << 2) - sz_xGLXRenderReq;
  23      while (left > 0) {
  24          __GLXrenderSizeData entry;
  25 -        int extra;
  26 +        int extra = 0;
  27          __GLXdispatchRenderProcPtr proc;
  28          int err;
  29
  30 @@ -2034,6 +2034,9 @@ __glXDisp_Render(__GLXclientState * cl,
  31          cmdlen = hdr->length;
  32          opcode = hdr->opcode;
  33
  34 +        if (left < cmdlen)
  35 +            return BadLength;
  36 +
  37          /*
  38           ** Check for core opcodes and grab entry data.
  39           */
  40 @@ -2047,6 +2050,10 @@ __glXDisp_Render(__GLXclientState * cl,
  41              return __glXError(GLXBadRenderRequest);
  42          }
  43
  44 +        if (cmdlen < entry.bytes) {
  45 +            return BadLength;
  46 +        }
  47 +
  48          if (entry.varsize) {
  49              /* variable size command */
  50              extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
  51 @@ -2054,17 +2061,9 @@ __glXDisp_Render(__GLXclientState * cl,
  52              if (extra < 0) {
  53                  return BadLength;
  54              }
  55 -            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
  56 -                return BadLength;
  57 -            }
  58          }
  59 -        else {
  60 -            /* constant size command */
  61 -            if (cmdlen != __GLX_PAD(entry.bytes)) {
  62 -                return BadLength;
  63 -            }
  64 -        }
  65 -        if (left < cmdlen) {
  66 +
  67 +        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
  68              return BadLength;
  69          }
  70