debian/patches/CVE-2014-8xxx/0029-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch

   1 From 554e382ba7aae961ca88c75edb1caffb5d00e9f6 Mon Sep 17 00:00:00 2001
   2 From: Adam Jackson <ajax@redhat.com>
   3 Date: Mon, 10 Nov 2014 12:13:45 -0500
   4 Subject: [PATCH 29/33] glx: Request length checks for SetClientInfoARB
   5  [CVE-2014-8098 5/8]
   6
   7 Reviewed-by: Keith Packard <keithp@keithp.com>
   8 Reviewed-by: Julien Cristau <jcristau@debian.org>
   9 Reviewed-by: Michal Srb <msrb@suse.com>
  10 Reviewed-by: Andy Ritger <aritger@nvidia.com>
  11 Signed-off-by: Adam Jackson <ajax@redhat.com>
  12 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  13 ---
  14  glx/clientinfo.c |   19 ++++++++++++++-----
  15  1 file changed, 14 insertions(+), 5 deletions(-)
  16
  17 --- a/glx/clientinfo.c
  18 +++ b/glx/clientinfo.c
  19 @@ -33,18 +33,21 @@ static int
  20  set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
  21                  unsigned bytes_per_version)
  22  {
  23 +    ClientPtr client = cl->client;
  24      char *gl_extensions;
  25      char *glx_extensions;
  26
  27 +    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
  28 +
  29      /* Verify that the size of the packet matches the size inferred from the
  30       * sizes specified for the various fields.
  31       */
  32 -    const unsigned expected_size = sz_xGLXSetClientInfoARBReq
  33 -        + (req->numVersions * bytes_per_version)
  34 -        + __GLX_PAD(req->numGLExtensionBytes)
  35 -        + __GLX_PAD(req->numGLXExtensionBytes);
  36 +    int size = sz_xGLXSetClientInfoARBReq;
  37 +    size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
  38 +    size = safe_add(size, safe_pad(req->numGLExtensionBytes));
  39 +    size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
  40
  41 -    if (req->length != (expected_size / 4))
  42 +    if (size < 0 || req->length != (size / 4))
  43          return BadLength;
  44
  45      /* Verify that the actual length of the GL extension string matches what's
  46 @@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientSt
  47  int
  48  __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
  49  {
  50 +    ClientPtr client = cl->client;
  51      xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
  52
  53 +    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
  54 +
  55      req->length = bswap_16(req->length);
  56      req->numVersions = bswap_32(req->numVersions);
  57      req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
  58 @@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientS
  59  int
  60  __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
  61  {
  62 +    ClientPtr client = cl->client;
  63      xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
  64
  65 +    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
  66 +
  67      req->length = bswap_16(req->length);
  68      req->numVersions = bswap_32(req->numVersions);
  69      req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);