From 9cf40ac3793ab273d9c6c94fca93daf17ebb8881 Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 10 Nov 2014 12:13:38 -0500 Subject: [PATCH 20/31] glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) Reviewed-by: Julien Cristau Reviewed-by: Michal Srb Reviewed-by: Andy Ritger Signed-off-by: Adam Jackson Signed-off-by: Alan Coopersmith Signed-off-by: Fedora X Ninjas --- glx/indirect_util.c | 7 ++++++- glx/unpack.h | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/glx/indirect_util.c b/glx/indirect_util.c index a30b1f8..7431d43 100644 --- a/glx/indirect_util.c +++ b/glx/indirect_util.c @@ -81,9 +81,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size, const unsigned mask = alignment - 1; if (local_size < required_size) { - const size_t worst_case_size = required_size + alignment; + size_t worst_case_size; intptr_t temp_buf; + if (required_size < SIZE_MAX - alignment) + worst_case_size = required_size + alignment; + else + return NULL; + if (cl->returnBufSize < worst_case_size) { void *temp = realloc(cl->returnBuf, worst_case_size); diff --git a/glx/unpack.h b/glx/unpack.h index 52fba74..2b1ebcf 100644 --- a/glx/unpack.h +++ b/glx/unpack.h @@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; ** pointer. */ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ - if ((size) > sizeof(answerBuffer)) { \ + if (size < 0) return BadLength; \ + else if ((size) > sizeof(answerBuffer)) { \ int bump; \ if ((cl)->returnBufSize < (size)+(align)) { \ (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ -- 1.9.3