|
|
0fd959 |
From 32a1e43ecfe456363ddcb87cc39ef80bcb44fd55 Mon Sep 17 00:00:00 2001
|
|
|
0fd959 |
From: Robert Morell <rmorell@nvidia.com>
|
|
|
0fd959 |
Date: Wed, 12 Nov 2014 18:51:43 -0800
|
|
|
0fd959 |
Subject: [PATCH 31/33] glx: Fix mask truncation in __glXGetAnswerBuffer
|
|
|
0fd959 |
[CVE-2014-8093 6/6]
|
|
|
0fd959 |
|
|
|
0fd959 |
On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
|
|
|
0fd959 |
bitwise not operation will result in a mask that clears all high bits
|
|
|
0fd959 |
from temp_buf in the expression:
|
|
|
0fd959 |
temp_buf = (temp_buf + mask) & ~mask;
|
|
|
0fd959 |
|
|
|
0fd959 |
Signed-off-by: Robert Morell <rmorell@nvidia.com>
|
|
|
0fd959 |
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
0fd959 |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
0fd959 |
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
|
|
|
0fd959 |
---
|
|
|
0fd959 |
glx/indirect_util.c | 2 +-
|
|
|
0fd959 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
0fd959 |
|
|
|
0fd959 |
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
|
|
|
0fd959 |
index 183af83..cebb782 100644
|
|
|
0fd959 |
--- a/glx/indirect_util.c
|
|
|
0fd959 |
+++ b/glx/indirect_util.c
|
|
|
0fd959 |
@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
|
|
|
0fd959 |
void *local_buffer, size_t local_size, unsigned alignment)
|
|
|
0fd959 |
{
|
|
|
0fd959 |
void *buffer = local_buffer;
|
|
|
0fd959 |
- const unsigned mask = alignment - 1;
|
|
|
0fd959 |
+ const intptr_t mask = alignment - 1;
|
|
|
0fd959 |
|
|
|
0fd959 |
if (local_size < required_size) {
|
|
|
0fd959 |
size_t worst_case_size;
|
|
|
0fd959 |
--
|
|
|
0fd959 |
1.9.3
|
|
|
0fd959 |
|