X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch;h=3357e9b7e301d322233a1ef124cc8fc25fb353a5;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f diff --git a/debian/patches/CVE-2014-8xxx/0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch b/debian/patches/CVE-2014-8xxx/0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch new file mode 100644 index 0000000..3357e9b --- /dev/null +++ b/debian/patches/CVE-2014-8xxx/0022-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch @@ -0,0 +1,59 @@ +From 902b6a30c660f4b38afd936726071b631ada3fcf Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:38 -0500 +Subject: [PATCH 22/33] glx: Additional paranoia in __glXGetAnswerBuffer / + __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] + +If the computed reply size is negative, something went wrong, treat it +as an error. + +v2: Be more careful about size_t being unsigned (Matthieu Herrb) +v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) + +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +--- + glx/indirect_util.c | 7 ++++++- + glx/unpack.h | 3 ++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/glx/indirect_util.c b/glx/indirect_util.c +index 926e57c..de81491 100644 +--- a/glx/indirect_util.c ++++ b/glx/indirect_util.c +@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size, + const unsigned mask = alignment - 1; + + if (local_size < required_size) { +- const size_t worst_case_size = required_size + alignment; ++ size_t worst_case_size; + intptr_t temp_buf; + ++ if (required_size < SIZE_MAX - alignment) ++ worst_case_size = required_size + alignment; ++ else ++ return NULL; ++ + if (cl->returnBufSize < worst_case_size) { + void *temp = realloc(cl->returnBuf, worst_case_size); + +diff --git a/glx/unpack.h b/glx/unpack.h +index 52fba74..2b1ebcf 100644 +--- a/glx/unpack.h ++++ b/glx/unpack.h +@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; + ** pointer. + */ + #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ +- if ((size) > sizeof(answerBuffer)) { \ ++ if (size < 0) return BadLength; \ ++ else if ((size) > sizeof(answerBuffer)) { \ + int bump; \ + if ((cl)->returnBufSize < (size)+(align)) { \ + (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ +-- +1.7.9.2 +