From bf0ab1bee4d590fbfaa2fd4e56857b019898e21a Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 10 Nov 2014 12:13:39 -0500 Subject: [PATCH 21/31] glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8] Without this we'd reject the request with BadLength. Note that some old versions of Mesa had a bug in the same place, and would _send_ zero bytes of image data; these will now be rejected, correctly. Reviewed-by: Keith Packard Reviewed-by: Julien Cristau Reviewed-by: Michal Srb Reviewed-by: Andy Ritger Signed-off-by: Adam Jackson Signed-off-by: Alan Coopersmith Signed-off-by: Fedora X Ninjas --- glx/rensize.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/glx/rensize.c b/glx/rensize.c index bcc3a53..10f76bc 100644 --- a/glx/rensize.c +++ b/glx/rensize.c @@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, case GL_ALPHA: case GL_LUMINANCE: case GL_INTENSITY: + case GL_RED_INTEGER_EXT: + case GL_GREEN_INTEGER_EXT: + case GL_BLUE_INTEGER_EXT: + case GL_ALPHA_INTEGER_EXT: + case GL_LUMINANCE_INTEGER_EXT: elementsPerGroup = 1; break; case GL_422_EXT: @@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, case GL_DEPTH_STENCIL_MESA: case GL_YCBCR_MESA: case GL_LUMINANCE_ALPHA: + case GL_LUMINANCE_ALPHA_INTEGER_EXT: elementsPerGroup = 2; break; case GL_RGB: case GL_BGR: + case GL_RGB_INTEGER_EXT: + case GL_BGR_INTEGER_EXT: elementsPerGroup = 3; break; case GL_RGBA: case GL_BGRA: + case GL_RGBA_INTEGER_EXT: + case GL_BGRA_INTEGER_EXT: case GL_ABGR_EXT: elementsPerGroup = 4; break; -- 1.9.3