From 3e9dd82063cc50d649517ee21ce68cfe4b98a1f6 Mon Sep 17 00:00:00 2001
From: Robert Morell <rmorell@nvidia.com>
Date: Wed, 12 Nov 2014 18:51:43 -0800
Subject: [PATCH 29/31] glx: Fix mask truncation in __glXGetAnswerBuffer
 [CVE-2014-8093 6/6]

On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
bitwise not operation will result in a mask that clears all high bits
from temp_buf in the expression:
        temp_buf = (temp_buf + mask) & ~mask;

Signed-off-by: Robert Morell <rmorell@nvidia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
---
 glx/indirect_util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index 7431d43..5914f5b 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -78,7 +78,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
                      void *local_buffer, size_t local_size, unsigned alignment)
 {
     void *buffer = local_buffer;
-    const unsigned mask = alignment - 1;
+    const intptr_t mask = alignment - 1;
 
     if (local_size < required_size) {
         size_t worst_case_size;
-- 
1.9.3