X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0028-glx-Top-level-length-checking-for-swapped-VendorPriv.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0028-glx-Top-level-length-checking-for-swapped-VendorPriv.patch;h=d42c8405205571215aaa68525087f128dc0f4dd8;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f

diff --git a/debian/patches/CVE-2014-8xxx/0028-glx-Top-level-length-checking-for-swapped-VendorPriv.patch b/debian/patches/CVE-2014-8xxx/0028-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
new file mode 100644
index 0000000..d42c840
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0028-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
@@ -0,0 +1,51 @@
+From efb3efd096edba7551e4e0e40bea522651211303 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:44 -0500
+Subject: [PATCH 28/33] glx: Top-level length checking for swapped
+ VendorPrivate requests [CVE-2014-8098 4/8]
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxcmdsswap.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
+index 5d179f3..9ec1222 100644
+--- a/glx/glxcmdsswap.c
++++ b/glx/glxcmdsswap.c
+@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
+ int
+ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     xGLXVendorPrivateReq *req;
+     GLint vendorcode;
+     __GLXdispatchVendorPrivProcPtr proc;
+ 
+     __GLX_DECLARE_SWAP_VARIABLES;
++    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
+ 
+     req = (xGLXVendorPrivateReq *) pc;
+     __GLX_SWAP_SHORT(&req->length);
+@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
+ int
+ __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     xGLXVendorPrivateWithReplyReq *req;
+     GLint vendorcode;
+     __GLXdispatchVendorPrivProcPtr proc;
+ 
+     __GLX_DECLARE_SWAP_VARIABLES;
++    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
+ 
+     req = (xGLXVendorPrivateWithReplyReq *) pc;
+     __GLX_SWAP_SHORT(&req->length);
+-- 
+1.7.9.2
+