debian/patches/CVE-2014-8xxx/0026-glx-Integer-overflow-protection-for-non-generated-re.patch

   1 From 84caa119e859d66e1a8368f265c16769e44e3291 Mon Sep 17 00:00:00 2001
   2 From: Adam Jackson <ajax@redhat.com>
   3 Date: Mon, 10 Nov 2014 12:13:42 -0500
   4 Subject: [PATCH 26/33] glx: Integer overflow protection for non-generated
   5  render requests (v3) [CVE-2014-8093 5/6]
   6
   7 v2:
   8 Fix constants in __glXMap2fReqSize (Michal Srb)
   9 Validate w/h/d for proxy targets too (Keith Packard)
  10
  11 v3:
  12 Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
  13
  14 Reviewed-by: Keith Packard <keithp@keithp.com>
  15 Reviewed-by: Michal Srb <msrb@suse.com>
  16 Reviewed-by: Andy Ritger <aritger@nvidia.com>
  17 Signed-off-by: Adam Jackson <ajax@redhat.com>
  18 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  19 ---
  20  glx/rensize.c |   77 ++++++++++++++++++++++++++++++---------------------------
  21  1 file changed, 41 insertions(+), 36 deletions(-)
  22
  23 diff --git a/glx/rensize.c b/glx/rensize.c
  24 index 9ff73c7..d46334a 100644
  25 --- a/glx/rensize.c
  26 +++ b/glx/rensize.c
  27 @@ -43,19 +43,11 @@
  28    (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
  29     ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
  30
  31 -static int
  32 -Map1Size(GLint k, GLint order)
  33 -{
  34 -    if (order <= 0 || k < 0)
  35 -        return -1;
  36 -    return k * order;
  37 -}
  38 -
  39  int
  40  __glXMap1dReqSize(const GLbyte * pc, Bool swap)
  41  {
  42      GLenum target;
  43 -    GLint order, k;
  44 +    GLint order;
  45
  46      target = *(GLenum *) (pc + 16);
  47      order = *(GLint *) (pc + 20);
  48 @@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
  49          target = SWAPL(target);
  50          order = SWAPL(order);
  51      }
  52 -    k = __glMap1d_size(target);
  53 -    return 8 * Map1Size(k, order);
  54 +    if (order < 1)
  55 +        return -1;
  56 +    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
  57  }
  58
  59  int
  60  __glXMap1fReqSize(const GLbyte * pc, Bool swap)
  61  {
  62      GLenum target;
  63 -    GLint order, k;
  64 +    GLint order;
  65
  66      target = *(GLenum *) (pc + 0);
  67      order = *(GLint *) (pc + 12);
  68 @@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
  69          target = SWAPL(target);
  70          order = SWAPL(order);
  71      }
  72 -    k = __glMap1f_size(target);
  73 -    return 4 * Map1Size(k, order);
  74 +    if (order < 1)
  75 +        return -1;
  76 +    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
  77  }
  78
  79  static int
  80  Map2Size(int k, int majorOrder, int minorOrder)
  81  {
  82 -    if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
  83 +    if (majorOrder < 1 || minorOrder < 1)
  84          return -1;
  85 -    return k * majorOrder * minorOrder;
  86 +    return safe_mul(k, safe_mul(majorOrder, minorOrder));
  87  }
  88
  89  int
  90  __glXMap2dReqSize(const GLbyte * pc, Bool swap)
  91  {
  92      GLenum target;
  93 -    GLint uorder, vorder, k;
  94 +    GLint uorder, vorder;
  95
  96      target = *(GLenum *) (pc + 32);
  97      uorder = *(GLint *) (pc + 36);
  98 @@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
  99          uorder = SWAPL(uorder);
 100          vorder = SWAPL(vorder);
 101      }
 102 -    k = __glMap2d_size(target);
 103 -    return 8 * Map2Size(k, uorder, vorder);
 104 +    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
 105  }
 106
 107  int
 108  __glXMap2fReqSize(const GLbyte * pc, Bool swap)
 109  {
 110      GLenum target;
 111 -    GLint uorder, vorder, k;
 112 +    GLint uorder, vorder;
 113
 114      target = *(GLenum *) (pc + 0);
 115      uorder = *(GLint *) (pc + 12);
 116 @@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
 117          uorder = SWAPL(uorder);
 118          vorder = SWAPL(vorder);
 119      }
 120 -    k = __glMap2f_size(target);
 121 -    return 4 * Map2Size(k, uorder, vorder);
 122 +    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
 123  }
 124
 125  /**
 126 @@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
 127      GLint bytesPerElement, elementsPerGroup, groupsPerRow;
 128      GLint groupSize, rowSize, padding, imageSize;
 129
 130 +    if (w == 0 || h == 0 || d == 0)
 131 +        return 0;
 132 +
 133      if (w < 0 || h < 0 || d < 0 ||
 134          (type == GL_BITMAP &&
 135           (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
 136          return -1;
 137      }
 138 -    if (w == 0 || h == 0 || d == 0)
 139 -        return 0;
 140
 141 +    /* proxy targets have no data */
 142      switch (target) {
 143      case GL_PROXY_TEXTURE_1D:
 144      case GL_PROXY_TEXTURE_2D:
 145 @@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
 146          return 0;
 147      }
 148
 149 +    /* real data has to have real sizes */
 150 +    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
 151 +        return -1;
 152 +    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
 153 +        return -1;
 154 +
 155      if (type == GL_BITMAP) {
 156          if (rowLength > 0) {
 157              groupsPerRow = rowLength;
 158 @@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
 159              groupsPerRow = w;
 160          }
 161          rowSize = bits_to_bytes(groupsPerRow);
 162 +        if (rowSize < 0)
 163 +            return -1;
 164          padding = (rowSize % alignment);
 165          if (padding) {
 166              rowSize += alignment - padding;
 167          }
 168 -        return ((h + skipRows) * rowSize);
 169 +
 170 +        return safe_mul(safe_add(h, skipRows), rowSize);
 171      }
 172      else {
 173          switch (format) {
 174 @@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
 175          default:
 176              return -1;
 177          }
 178 +        /* known safe by the switches above, not checked */
 179          groupSize = bytesPerElement * elementsPerGroup;
 180          if (rowLength > 0) {
 181              groupsPerRow = rowLength;
 182 @@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
 183          else {
 184              groupsPerRow = w;
 185          }
 186 -        rowSize = groupsPerRow * groupSize;
 187 +
 188 +        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
 189 +            return -1;
 190          padding = (rowSize % alignment);
 191          if (padding) {
 192              rowSize += alignment - padding;
 193          }
 194 -        if (imageHeight > 0) {
 195 -            imageSize = (imageHeight + skipRows) * rowSize;
 196 -        }
 197 -        else {
 198 -            imageSize = (h + skipRows) * rowSize;
 199 -        }
 200 -        return ((d + skipImages) * imageSize);
 201 +
 202 +        if (imageHeight > 0)
 203 +            h = imageHeight;
 204 +        h = safe_add(h, skipRows);
 205 +
 206 +        imageSize = safe_mul(h, rowSize);
 207 +
 208 +        return safe_mul(safe_add(d, skipImages), imageSize);
 209      }
 210  }
 211
 212 @@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
 213      /* XXX Should rowLength be used for either or both image? */
 214      image1size = __glXImageSize(format, type, 0, w, 1, 1,
 215                                  0, rowLength, 0, 0, alignment);
 216 -    image1size = __GLX_PAD(image1size);
 217      image2size = __glXImageSize(format, type, 0, h, 1, 1,
 218                                  0, rowLength, 0, 0, alignment);
 219 -    return image1size + image2size;
 220 -
 221 +    return safe_add(safe_pad(image1size), image2size);
 222  }
 223 --
 224 1.7.9.2
 225