debian/patches/CVE-2014-8xxx/0029-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch

   1 From 554e382ba7aae961ca88c75edb1caffb5d00e9f6 Mon Sep 17 00:00:00 2001
   2 From: Adam Jackson <ajax@redhat.com>
   3 Date: Mon, 10 Nov 2014 12:13:45 -0500
   4 Subject: [PATCH 29/33] glx: Request length checks for SetClientInfoARB
   5  [CVE-2014-8098 5/8]
   6
   7 Reviewed-by: Keith Packard <keithp@keithp.com>
   8 Reviewed-by: Julien Cristau <jcristau@debian.org>
   9 Reviewed-by: Michal Srb <msrb@suse.com>
  10 Reviewed-by: Andy Ritger <aritger@nvidia.com>
  11 Signed-off-by: Adam Jackson <ajax@redhat.com>
  12 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  13 ---
  14  glx/clientinfo.c |   19 ++++++++++++++-----
  15  1 file changed, 14 insertions(+), 5 deletions(-)
  16
  17 diff --git a/glx/clientinfo.c b/glx/clientinfo.c
  18 index 4aaa4c9..c5fef30 100644
  19 --- a/glx/clientinfo.c
  20 +++ b/glx/clientinfo.c
  21 @@ -33,18 +33,21 @@ static int
  22  set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
  23                  unsigned bytes_per_version)
  24  {
  25 +    ClientPtr client = cl->client;
  26      char *gl_extensions;
  27      char *glx_extensions;
  28
  29 +    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
  30 +
  31      /* Verify that the size of the packet matches the size inferred from the
  32       * sizes specified for the various fields.
  33       */
  34 -    const unsigned expected_size = sz_xGLXSetClientInfoARBReq
  35 -        + (req->numVersions * bytes_per_version)
  36 -        + __GLX_PAD(req->numGLExtensionBytes)
  37 -        + __GLX_PAD(req->numGLXExtensionBytes);
  38 +    int size = sz_xGLXSetClientInfoARBReq;
  39 +    size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
  40 +    size = safe_add(size, safe_pad(req->numGLExtensionBytes));
  41 +    size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
  42
  43 -    if (req->length != (expected_size / 4))
  44 +    if (size < 0 || req->length != (size / 4))
  45          return BadLength;
  46
  47      /* Verify that the actual length of the GL extension string matches what's
  48 @@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
  49  int
  50  __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
  51  {
  52 +    ClientPtr client = cl->client;
  53      xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
  54
  55 +    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
  56 +
  57      req->length = bswap_16(req->length);
  58      req->numVersions = bswap_32(req->numVersions);
  59      req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
  60 @@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
  61  int
  62  __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
  63  {
  64 +    ClientPtr client = cl->client;
  65      xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
  66
  67 +    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
  68 +
  69      req->length = bswap_16(req->length);
  70      req->numVersions = bswap_32(req->numVersions);
  71      req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
  72 --
  73 1.7.9.2
  74