--- /dev/null
+From 02f91446a5446d7287a0fc30aa8b15a1cd29c2cf Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Mon, 10 Nov 2014 12:13:41 -0500
+Subject: [PATCH 25/33] glx: Length checking for GLXRender requests (v2)
+ [CVE-2014-8098 2/8]
+
+v2:
+Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
+
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxcmds.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+Index: xorg-server-1.15.1/glx/glxcmds.c
+===================================================================
+--- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:56:07.897284200 -0500
++++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:56:07.893284176 -0500
+@@ -2015,7 +2015,7 @@
+ left = (req->length << 2) - sz_xGLXRenderReq;
+ while (left > 0) {
+ __GLXrenderSizeData entry;
+- int extra;
++ int extra = 0;
+ __GLXdispatchRenderProcPtr proc;
+ int err;
+
+@@ -2034,6 +2034,9 @@
+ cmdlen = hdr->length;
+ opcode = hdr->opcode;
+
++ if (left < cmdlen)
++ return BadLength;
++
+ /*
+ ** Check for core opcodes and grab entry data.
+ */
+@@ -2047,6 +2050,10 @@
+ return __glXError(GLXBadRenderRequest);
+ }
+
++ if (cmdlen < entry.bytes) {
++ return BadLength;
++ }
++
+ if (entry.varsize) {
+ /* variable size command */
+ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
+@@ -2054,17 +2061,9 @@
+ if (extra < 0) {
+ return BadLength;
+ }
+- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
+- return BadLength;
+- }
+ }
+- else {
+- /* constant size command */
+- if (cmdlen != __GLX_PAD(entry.bytes)) {
+- return BadLength;
+- }
+- }
+- if (left < cmdlen) {
++
++ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
+ return BadLength;
+ }
+
repositories / deb_xorg-server.git / blobdiff