debian/patches/CVE-2014-8xxx/0026-glx-Integer-overflow-protection-for-non-generated-re.patch

   1 From 84caa119e859d66e1a8368f265c16769e44e3291 Mon Sep 17 00:00:00 2001
   2 From: Adam Jackson <ajax@redhat.com>
   3 Date: Mon, 10 Nov 2014 12:13:42 -0500
   4 Subject: [PATCH 26/33] glx: Integer overflow protection for non-generated
   5  render requests (v3) [CVE-2014-8093 5/6]
   6
   7 v2:
   8 Fix constants in __glXMap2fReqSize (Michal Srb)
   9 Validate w/h/d for proxy targets too (Keith Packard)
  10
  11 v3:
  12 Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
  13
  14 Reviewed-by: Keith Packard <keithp@keithp.com>
  15 Reviewed-by: Michal Srb <msrb@suse.com>
  16 Reviewed-by: Andy Ritger <aritger@nvidia.com>
  17 Signed-off-by: Adam Jackson <ajax@redhat.com>
  18 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  19 ---
  20  glx/rensize.c |   77 ++++++++++++++++++++++++++++++---------------------------
  21  1 file changed, 41 insertions(+), 36 deletions(-)
  22
  23 --- a/glx/rensize.c
  24 +++ b/glx/rensize.c
  25 @@ -43,19 +43,11 @@
  26    (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
  27     ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
  28
  29 -static int
  30 -Map1Size(GLint k, GLint order)
  31 -{
  32 -    if (order <= 0 || k < 0)
  33 -        return -1;
  34 -    return k * order;
  35 -}
  36 -
  37  int
  38  __glXMap1dReqSize(const GLbyte * pc, Bool swap)
  39  {
  40      GLenum target;
  41 -    GLint order, k;
  42 +    GLint order;
  43
  44      target = *(GLenum *) (pc + 16);
  45      order = *(GLint *) (pc + 20);
  46 @@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Boo
  47          target = SWAPL(target);
  48          order = SWAPL(order);
  49      }
  50 -    k = __glMap1d_size(target);
  51 -    return 8 * Map1Size(k, order);
  52 +    if (order < 1)
  53 +        return -1;
  54 +    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
  55  }
  56
  57  int
  58  __glXMap1fReqSize(const GLbyte * pc, Bool swap)
  59  {
  60      GLenum target;
  61 -    GLint order, k;
  62 +    GLint order;
  63
  64      target = *(GLenum *) (pc + 0);
  65      order = *(GLint *) (pc + 12);
  66 @@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Boo
  67          target = SWAPL(target);
  68          order = SWAPL(order);
  69      }
  70 -    k = __glMap1f_size(target);
  71 -    return 4 * Map1Size(k, order);
  72 +    if (order < 1)
  73 +        return -1;
  74 +    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
  75  }
  76
  77  static int
  78  Map2Size(int k, int majorOrder, int minorOrder)
  79  {
  80 -    if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
  81 +    if (majorOrder < 1 || minorOrder < 1)
  82          return -1;
  83 -    return k * majorOrder * minorOrder;
  84 +    return safe_mul(k, safe_mul(majorOrder, minorOrder));
  85  }
  86
  87  int
  88  __glXMap2dReqSize(const GLbyte * pc, Bool swap)
  89  {
  90      GLenum target;
  91 -    GLint uorder, vorder, k;
  92 +    GLint uorder, vorder;
  93
  94      target = *(GLenum *) (pc + 32);
  95      uorder = *(GLint *) (pc + 36);
  96 @@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Boo
  97          uorder = SWAPL(uorder);
  98          vorder = SWAPL(vorder);
  99      }
 100 -    k = __glMap2d_size(target);
 101 -    return 8 * Map2Size(k, uorder, vorder);
 102 +    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
 103  }
 104
 105  int
 106  __glXMap2fReqSize(const GLbyte * pc, Bool swap)
 107  {
 108      GLenum target;
 109 -    GLint uorder, vorder, k;
 110 +    GLint uorder, vorder;
 111
 112      target = *(GLenum *) (pc + 0);
 113      uorder = *(GLint *) (pc + 12);
 114 @@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Boo
 115          uorder = SWAPL(uorder);
 116          vorder = SWAPL(vorder);
 117      }
 118 -    k = __glMap2f_size(target);
 119 -    return 4 * Map2Size(k, uorder, vorder);
 120 +    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
 121  }
 122
 123  /**
 124 @@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum typ
 125      GLint bytesPerElement, elementsPerGroup, groupsPerRow;
 126      GLint groupSize, rowSize, padding, imageSize;
 127
 128 +    if (w == 0 || h == 0 || d == 0)
 129 +        return 0;
 130 +
 131      if (w < 0 || h < 0 || d < 0 ||
 132          (type == GL_BITMAP &&
 133           (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
 134          return -1;
 135      }
 136 -    if (w == 0 || h == 0 || d == 0)
 137 -        return 0;
 138
 139 +    /* proxy targets have no data */
 140      switch (target) {
 141      case GL_PROXY_TEXTURE_1D:
 142      case GL_PROXY_TEXTURE_2D:
 143 @@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum typ
 144          return 0;
 145      }
 146
 147 +    /* real data has to have real sizes */
 148 +    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
 149 +        return -1;
 150 +    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
 151 +        return -1;
 152 +
 153      if (type == GL_BITMAP) {
 154          if (rowLength > 0) {
 155              groupsPerRow = rowLength;
 156 @@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum typ
 157              groupsPerRow = w;
 158          }
 159          rowSize = bits_to_bytes(groupsPerRow);
 160 +        if (rowSize < 0)
 161 +            return -1;
 162          padding = (rowSize % alignment);
 163          if (padding) {
 164              rowSize += alignment - padding;
 165          }
 166 -        return ((h + skipRows) * rowSize);
 167 +
 168 +        return safe_mul(safe_add(h, skipRows), rowSize);
 169      }
 170      else {
 171          switch (format) {
 172 @@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum typ
 173          default:
 174              return -1;
 175          }
 176 +        /* known safe by the switches above, not checked */
 177          groupSize = bytesPerElement * elementsPerGroup;
 178          if (rowLength > 0) {
 179              groupsPerRow = rowLength;
 180 @@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum typ
 181          else {
 182              groupsPerRow = w;
 183          }
 184 -        rowSize = groupsPerRow * groupSize;
 185 +
 186 +        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
 187 +            return -1;
 188          padding = (rowSize % alignment);
 189          if (padding) {
 190              rowSize += alignment - padding;
 191          }
 192 -        if (imageHeight > 0) {
 193 -            imageSize = (imageHeight + skipRows) * rowSize;
 194 -        }
 195 -        else {
 196 -            imageSize = (h + skipRows) * rowSize;
 197 -        }
 198 -        return ((d + skipImages) * imageSize);
 199 +
 200 +        if (imageHeight > 0)
 201 +            h = imageHeight;
 202 +        h = safe_add(h, skipRows);
 203 +
 204 +        imageSize = safe_mul(h, rowSize);
 205 +
 206 +        return safe_mul(safe_add(d, skipImages), imageSize);
 207      }
 208  }
 209
 210 @@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLby
 211      /* XXX Should rowLength be used for either or both image? */
 212      image1size = __glXImageSize(format, type, 0, w, 1, 1,
 213                                  0, rowLength, 0, 0, alignment);
 214 -    image1size = __GLX_PAD(image1size);
 215      image2size = __glXImageSize(format, type, 0, h, 1, 1,
 216                                  0, rowLength, 0, 0, alignment);
 217 -    return image1size + image2size;
 218 -
 219 +    return safe_add(safe_pad(image1size), image2size);
 220  }