X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0029-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0029-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch;h=19ea8c6b1567be80115b7bef70b68e98757412ed;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f

diff --git a/debian/patches/CVE-2014-8xxx/0029-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch b/debian/patches/CVE-2014-8xxx/0029-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch
new file mode 100644
index 0000000..19ea8c6
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0029-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch
@@ -0,0 +1,74 @@
+From 554e382ba7aae961ca88c75edb1caffb5d00e9f6 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:45 -0500
+Subject: [PATCH 29/33] glx: Request length checks for SetClientInfoARB
+ [CVE-2014-8098 5/8]
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/clientinfo.c |   19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/glx/clientinfo.c b/glx/clientinfo.c
+index 4aaa4c9..c5fef30 100644
+--- a/glx/clientinfo.c
++++ b/glx/clientinfo.c
+@@ -33,18 +33,21 @@ static int
+ set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
+                 unsigned bytes_per_version)
+ {
++    ClientPtr client = cl->client;
+     char *gl_extensions;
+     char *glx_extensions;
+ 
++    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
++
+     /* Verify that the size of the packet matches the size inferred from the
+      * sizes specified for the various fields.
+      */
+-    const unsigned expected_size = sz_xGLXSetClientInfoARBReq
+-        + (req->numVersions * bytes_per_version)
+-        + __GLX_PAD(req->numGLExtensionBytes)
+-        + __GLX_PAD(req->numGLXExtensionBytes);
++    int size = sz_xGLXSetClientInfoARBReq;
++    size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
++    size = safe_add(size, safe_pad(req->numGLExtensionBytes));
++    size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
+ 
+-    if (req->length != (expected_size / 4))
++    if (size < 0 || req->length != (size / 4))
+         return BadLength;
+ 
+     /* Verify that the actual length of the GL extension string matches what's
+@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
+ int
+ __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ 
++    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
++
+     req->length = bswap_16(req->length);
+     req->numVersions = bswap_32(req->numVersions);
+     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
+@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
+ int
+ __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ 
++    REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
++
+     req->length = bswap_16(req->length);
+     req->numVersions = bswap_32(req->numVersions);
+     req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
+-- 
+1.7.9.2
+