From f5a7c552b4e0268df93cce2d7f418a7f81770873 Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 10 Nov 2014 12:13:40 -0500 Subject: [PATCH 24/33] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] These are paranoid about integer overflow, and will return -1 if their operation would overflow a (signed) integer or if either argument is negative. Note that RenderLarge requests are sized with a uint32_t so in principle this could be sketchy there, but dix limits bigreqs to 128M so you shouldn't ever notice, and honestly if you're sending more than 2G of rendering commands you're already doing something very wrong. v2: Use INT_MAX for consistency with the rest of the server (jcristau) v3: Reject negative arguments (anholt) Reviewed-by: Keith Packard Reviewed-by: Julien Cristau Reviewed-by: Michal Srb Reviewed-by: Andy Ritger Signed-off-by: Adam Jackson Signed-off-by: Alan Coopersmith Signed-off-by: Fedora X Ninjas --- glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/glx/glxserver.h b/glx/glxserver.h index 7f36e5f..14c5dda 100644 --- a/glx/glxserver.h +++ b/glx/glxserver.h @@ -230,6 +230,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client, * Routines for computing the size of variably-sized rendering commands. */ +static _X_INLINE int +safe_add(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (INT_MAX - a < b) + return -1; + + return a + b; +} + +static _X_INLINE int +safe_mul(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (a == 0 || b == 0) + return 0; + + if (a > INT_MAX / b) + return -1; + + return a * b; +} + +static _X_INLINE int +safe_pad(int a) +{ + int ret; + + if (a < 0) + return -1; + + if ((ret = safe_add(a, 3)) < 0) + return -1; + + return ret & (GLuint)~3; +} + extern int __glXTypeSize(GLenum enm); extern int __glXImageSize(GLenum format, GLenum type, GLenum target, GLsizei w, GLsizei h, GLsizei d, -- 1.9.3