From bce43e2e287096be4c737105fa12459ff2e052b2 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Mon, 10 Nov 2014 12:13:41 -0500 Subject: [PATCH 23/31] glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8] v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) Reviewed-by: Adam Jackson Reviewed-by: Michal Srb Reviewed-by: Andy Ritger Signed-off-by: Julien Cristau Signed-off-by: Alan Coopersmith Signed-off-by: Fedora X Ninjas --- glx/glxcmds.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 5b50785..969bf01 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1971,7 +1971,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) left = (req->length << 2) - sz_xGLXRenderReq; while (left > 0) { __GLXrenderSizeData entry; - int extra; + int extra = 0; __GLXdispatchRenderProcPtr proc; int err; @@ -1990,6 +1990,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) cmdlen = hdr->length; opcode = hdr->opcode; + if (left < cmdlen) + return BadLength; + /* ** Check for core opcodes and grab entry data. */ @@ -2003,6 +2006,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) return __glXError(GLXBadRenderRequest); } + if (cmdlen < entry.bytes) { + return BadLength; + } + if (entry.varsize) { /* variable size command */ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, @@ -2010,17 +2017,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) if (extra < 0) { return BadLength; } - if (cmdlen != __GLX_PAD(entry.bytes + extra)) { - return BadLength; - } } - else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry.bytes)) { - return BadLength; - } - } - if (left < cmdlen) { + + if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) { return BadLength; } -- 1.9.3