|
|
0fd959 |
From 4c909ffb1b8d6fc2ba61dc764e047f95dd8950b7 Mon Sep 17 00:00:00 2001
|
|
|
0fd959 |
From: Adam Jackson <ajax@redhat.com>
|
|
|
0fd959 |
Date: Mon, 10 Nov 2014 12:13:38 -0500
|
|
|
0fd959 |
Subject: [PATCH 22/33] glx: Additional paranoia in __glXGetAnswerBuffer /
|
|
|
0fd959 |
__GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
|
|
|
0fd959 |
|
|
|
0fd959 |
If the computed reply size is negative, something went wrong, treat it
|
|
|
0fd959 |
as an error.
|
|
|
0fd959 |
|
|
|
0fd959 |
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
|
|
|
0fd959 |
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
|
|
|
0fd959 |
|
|
|
0fd959 |
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
|
0fd959 |
Reviewed-by: Michal Srb <msrb@suse.com>
|
|
|
0fd959 |
Reviewed-by: Andy Ritger <aritger@nvidia.com>
|
|
|
0fd959 |
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
|
|
0fd959 |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
0fd959 |
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
|
|
|
0fd959 |
---
|
|
|
0fd959 |
glx/indirect_util.c | 7 ++++++-
|
|
|
0fd959 |
glx/unpack.h | 3 ++-
|
|
|
0fd959 |
2 files changed, 8 insertions(+), 2 deletions(-)
|
|
|
0fd959 |
|
|
|
0fd959 |
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
|
|
|
0fd959 |
index f9d1243..183af83 100644
|
|
|
0fd959 |
--- a/glx/indirect_util.c
|
|
|
0fd959 |
+++ b/glx/indirect_util.c
|
|
|
0fd959 |
@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
|
|
|
0fd959 |
const unsigned mask = alignment - 1;
|
|
|
0fd959 |
|
|
|
0fd959 |
if (local_size < required_size) {
|
|
|
0fd959 |
- const size_t worst_case_size = required_size + alignment;
|
|
|
0fd959 |
+ size_t worst_case_size;
|
|
|
0fd959 |
intptr_t temp_buf;
|
|
|
0fd959 |
|
|
|
0fd959 |
+ if (required_size < SIZE_MAX - alignment)
|
|
|
0fd959 |
+ worst_case_size = required_size + alignment;
|
|
|
0fd959 |
+ else
|
|
|
0fd959 |
+ return NULL;
|
|
|
0fd959 |
+
|
|
|
0fd959 |
if (cl->returnBufSize < worst_case_size) {
|
|
|
0fd959 |
void *temp = realloc(cl->returnBuf, worst_case_size);
|
|
|
0fd959 |
|
|
|
0fd959 |
diff --git a/glx/unpack.h b/glx/unpack.h
|
|
|
0fd959 |
index 52fba74..2b1ebcf 100644
|
|
|
0fd959 |
--- a/glx/unpack.h
|
|
|
0fd959 |
+++ b/glx/unpack.h
|
|
|
0fd959 |
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
|
|
|
0fd959 |
** pointer.
|
|
|
0fd959 |
*/
|
|
|
0fd959 |
#define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
|
|
|
0fd959 |
- if ((size) > sizeof(answerBuffer)) { \
|
|
|
0fd959 |
+ if (size < 0) return BadLength; \
|
|
|
0fd959 |
+ else if ((size) > sizeof(answerBuffer)) { \
|
|
|
0fd959 |
int bump; \
|
|
|
0fd959 |
if ((cl)->returnBufSize < (size)+(align)) { \
|
|
|
0fd959 |
(cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
|
|
|
0fd959 |
--
|
|
|
0fd959 |
1.9.3
|
|
|
0fd959 |
|