X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0027-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0027-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch;h=1caa603e6c52d360ab582e15a59161d2153a5c3f;hp=38e325e1cd64d1c7281c1288cc3c9f8f6ce0bba1;hb=4db25562fe97995f20b8adc0f2e6959ed82e8635;hpb=7217e0ca50bba73dad94782e67980aeeb24ab693 diff --git a/debian/patches/CVE-2014-8xxx/0027-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch b/debian/patches/CVE-2014-8xxx/0027-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch index 38e325e..1caa603 100644 --- a/debian/patches/CVE-2014-8xxx/0027-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch +++ b/debian/patches/CVE-2014-8xxx/0027-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch @@ -18,11 +18,9 @@ Signed-off-by: Alan Coopersmith glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 23 deletions(-) -Index: xorg-server-1.15.1/glx/glxcmds.c -=================================================================== ---- xorg-server-1.15.1.orig/glx/glxcmds.c 2014-12-04 11:56:22.749376887 -0500 -+++ xorg-server-1.15.1/glx/glxcmds.c 2014-12-04 11:56:22.745376862 -0500 -@@ -2099,6 +2099,8 @@ +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -2099,6 +2099,8 @@ __glXDisp_RenderLarge(__GLXclientState * __GLX_DECLARE_SWAP_VARIABLES; @@ -31,7 +29,7 @@ Index: xorg-server-1.15.1/glx/glxcmds.c req = (xGLXRenderLargeReq *) pc; if (client->swapped) { __GLX_SWAP_SHORT(&req->length); -@@ -2114,12 +2116,14 @@ +@@ -2114,12 +2116,14 @@ __glXDisp_RenderLarge(__GLXclientState * __glXResetLargeCommandStatus(cl); return error; } @@ -47,7 +45,7 @@ Index: xorg-server-1.15.1/glx/glxcmds.c client->errorValue = req->length; /* Reset in case this isn't 1st request. */ __glXResetLargeCommandStatus(cl); -@@ -2129,7 +2133,7 @@ +@@ -2129,7 +2133,7 @@ __glXDisp_RenderLarge(__GLXclientState * if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData entry; @@ -56,7 +54,7 @@ Index: xorg-server-1.15.1/glx/glxcmds.c size_t cmdlen; int err; -@@ -2142,13 +2146,17 @@ +@@ -2142,13 +2146,17 @@ __glXDisp_RenderLarge(__GLXclientState * return __glXError(GLXBadLargeRequest); } @@ -75,7 +73,7 @@ Index: xorg-server-1.15.1/glx/glxcmds.c /* ** Check for core opcodes and grab entry data. -@@ -2170,17 +2178,13 @@ +@@ -2170,17 +2178,13 @@ __glXDisp_RenderLarge(__GLXclientState * if (extra < 0) { return BadLength; } @@ -98,7 +96,7 @@ Index: xorg-server-1.15.1/glx/glxcmds.c /* ** Make enough space in the buffer, then copy the entire request. */ -@@ -2207,6 +2211,7 @@ +@@ -2207,6 +2211,7 @@ __glXDisp_RenderLarge(__GLXclientState * ** We are receiving subsequent (i.e. not the first) requests of a ** multi request command. */ @@ -106,7 +104,7 @@ Index: xorg-server-1.15.1/glx/glxcmds.c /* ** Check the request number and the total request count. -@@ -2225,11 +2230,18 @@ +@@ -2225,11 +2230,18 @@ __glXDisp_RenderLarge(__GLXclientState * /* ** Check that we didn't get too much data. */ @@ -126,7 +124,7 @@ Index: xorg-server-1.15.1/glx/glxcmds.c memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes); cl->largeCmdBytesSoFar += dataBytes; cl->largeCmdRequestsSoFar++; -@@ -2241,17 +2253,16 @@ +@@ -2241,17 +2253,16 @@ __glXDisp_RenderLarge(__GLXclientState * ** This is the last request; it must have enough bytes to complete ** the command. */