debian/patches/CVE-2014-8xxx/0033-glx-Fix-mask-truncation-in-__glXGetAnswerBuffer-CVE-.patch

   1 From a7c63d6599067dc8ff0d114536d2db3fadb4e195 Mon Sep 17 00:00:00 2001
   2 From: Robert Morell <rmorell@nvidia.com>
   3 Date: Wed, 12 Nov 2014 18:51:43 -0800
   4 Subject: [PATCH 33/33] glx: Fix mask truncation in __glXGetAnswerBuffer
   5  [CVE-2014-8093 6/6]
   6
   7 On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
   8 bitwise not operation will result in a mask that clears all high bits
   9 from temp_buf in the expression:
  10         temp_buf = (temp_buf + mask) & ~mask;
  11
  12 Signed-off-by: Robert Morell <rmorell@nvidia.com>
  13 Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  14 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  15 ---
  16  glx/indirect_util.c |    2 +-
  17  1 file changed, 1 insertion(+), 1 deletion(-)
  18
  19 --- a/glx/indirect_util.c
  20 +++ b/glx/indirect_util.c
  21 @@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState *
  22                       void *local_buffer, size_t local_size, unsigned alignment)
  23  {
  24      void *buffer = local_buffer;
  25 -    const unsigned mask = alignment - 1;
  26 +    const intptr_t mask = alignment - 1;
  27
  28      if (local_size < required_size) {
  29          size_t worst_case_size;