summaryrefslogtreecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server/0020-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
blob: d7ca0f388dc404d428c39c804b4b5aabcb709373 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
From 9cf40ac3793ab273d9c6c94fca93daf17ebb8881 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 10 Nov 2014 12:13:38 -0500
Subject: [PATCH 20/31] glx: Additional paranoia in __glXGetAnswerBuffer /
 __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]

If the computed reply size is negative, something went wrong, treat it
as an error.

v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)

Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
---
 glx/indirect_util.c | 7 ++++++-
 glx/unpack.h        | 3 ++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index a30b1f8..7431d43 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -81,9 +81,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
     const unsigned mask = alignment - 1;
 
     if (local_size < required_size) {
-        const size_t worst_case_size = required_size + alignment;
+        size_t worst_case_size;
         intptr_t temp_buf;
 
+        if (required_size < SIZE_MAX - alignment)
+            worst_case_size = required_size + alignment;
+        else
+            return NULL;
+
         if (cl->returnBufSize < worst_case_size) {
             void *temp = realloc(cl->returnBuf, worst_case_size);
 
diff --git a/glx/unpack.h b/glx/unpack.h
index 52fba74..2b1ebcf 100644
--- a/glx/unpack.h
+++ b/glx/unpack.h
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
 ** pointer.
 */
 #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align)			 \
-    if ((size) > sizeof(answerBuffer)) {				 \
+    if (size < 0) return BadLength;                                      \
+    else if ((size) > sizeof(answerBuffer)) {				 \
 	int bump;							 \
 	if ((cl)->returnBufSize < (size)+(align)) {			 \
 	    (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf,	 	 \
-- 
1.9.3