--- /dev/null
+From 902b6a30c660f4b38afd936726071b631ada3fcf Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:38 -0500
+Subject: [PATCH 22/33] glx: Additional paranoia in __glXGetAnswerBuffer /
+ __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
+
+If the computed reply size is negative, something went wrong, treat it
+as an error.
+
+v2: Be more careful about size_t being unsigned (Matthieu Herrb)
+v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/indirect_util.c | 7 ++++++-
+ glx/unpack.h | 3 ++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/glx/indirect_util.c b/glx/indirect_util.c
+index 926e57c..de81491 100644
+--- a/glx/indirect_util.c
++++ b/glx/indirect_util.c
+@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
+ const unsigned mask = alignment - 1;
+
+ if (local_size < required_size) {
+- const size_t worst_case_size = required_size + alignment;
++ size_t worst_case_size;
+ intptr_t temp_buf;
+
++ if (required_size < SIZE_MAX - alignment)
++ worst_case_size = required_size + alignment;
++ else
++ return NULL;
++
+ if (cl->returnBufSize < worst_case_size) {
+ void *temp = realloc(cl->returnBuf, worst_case_size);
+
+diff --git a/glx/unpack.h b/glx/unpack.h
+index 52fba74..2b1ebcf 100644
+--- a/glx/unpack.h
++++ b/glx/unpack.h
+@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
+ ** pointer.
+ */
+ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
+- if ((size) > sizeof(answerBuffer)) { \
++ if (size < 0) return BadLength; \
++ else if ((size) > sizeof(answerBuffer)) { \
+ int bump; \
+ if ((cl)->returnBufSize < (size)+(align)) { \
+ (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
+--
+1.7.9.2
+
repositories / deb_xorg-server.git / blobdiff