summaryrefslogtreecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch')
-rw-r--r--patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch76
1 files changed, 76 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch b/patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
new file mode 100644
index 00000000..96de637a
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
@@ -0,0 +1,76 @@
+From bce43e2e287096be4c737105fa12459ff2e052b2 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Mon, 10 Nov 2014 12:13:41 -0500
+Subject: [PATCH 23/31] glx: Length checking for GLXRender requests (v2)
+ [CVE-2014-8098 2/8]
+
+v2:
+Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
+
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
+---
+ glx/glxcmds.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index 5b50785..969bf01 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -1971,7 +1971,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ left = (req->length << 2) - sz_xGLXRenderReq;
+ while (left > 0) {
+ __GLXrenderSizeData entry;
+- int extra;
++ int extra = 0;
+ __GLXdispatchRenderProcPtr proc;
+ int err;
+
+@@ -1990,6 +1990,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ cmdlen = hdr->length;
+ opcode = hdr->opcode;
+
++ if (left < cmdlen)
++ return BadLength;
++
+ /*
+ ** Check for core opcodes and grab entry data.
+ */
+@@ -2003,6 +2006,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ return __glXError(GLXBadRenderRequest);
+ }
+
++ if (cmdlen < entry.bytes) {
++ return BadLength;
++ }
++
+ if (entry.varsize) {
+ /* variable size command */
+ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
+@@ -2010,17 +2017,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ if (extra < 0) {
+ return BadLength;
+ }
+- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
+- return BadLength;
+- }
+ }
+- else {
+- /* constant size command */
+- if (cmdlen != __GLX_PAD(entry.bytes)) {
+- return BadLength;
+- }
+- }
+- if (left < cmdlen) {
++
++ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
+ return BadLength;
+ }
+
+--
+1.9.3
+