X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0020-glx-Be-more-paranoid-about-variable-length-requests-.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0020-glx-Be-more-paranoid-about-variable-length-requests-.patch;h=508d9e755b996122c0a74ee1a626589a2b7ddcd4;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f

diff --git a/debian/patches/CVE-2014-8xxx/0020-glx-Be-more-paranoid-about-variable-length-requests-.patch b/debian/patches/CVE-2014-8xxx/0020-glx-Be-more-paranoid-about-variable-length-requests-.patch
new file mode 100644
index 0000000..508d9e7
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0020-glx-Be-more-paranoid-about-variable-length-requests-.patch
@@ -0,0 +1,44 @@
+From 096a5af8e52faafc38ae84dd17bede7ac03a3b83 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:36 -0500
+Subject: [PATCH 20/33] glx: Be more paranoid about variable-length requests
+ [CVE-2014-8093 1/6]
+
+If the size computation routine returns -1 we should just reject the
+request outright.  Clamping it to zero could give an attacker the
+opportunity to also mangle cmdlen in such a way that the subsequent
+length check passes, and the request would get executed, thus passing
+data we wanted to reject to the renderer.
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxcmds.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: xorg-server-1.15.1/glx/glxcmds.c
+===================================================================
+--- xorg-server-1.15.1.orig/glx/glxcmds.c	2014-12-04 11:55:22.293001486 -0500
++++ xorg-server-1.15.1/glx/glxcmds.c	2014-12-04 11:55:22.289001461 -0500
+@@ -2052,7 +2052,7 @@
+             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
+                                       client->swapped);
+             if (extra < 0) {
+-                extra = 0;
++                return BadLength;
+             }
+             if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
+                 return BadLength;
+@@ -2169,7 +2169,7 @@
+             extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
+                                       client->swapped);
+             if (extra < 0) {
+-                extra = 0;
++                return BadLength;
+             }
+             /* large command's header is 4 bytes longer, so add 4 */
+             if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {