Commit be09e0c9 authored by Julien Cristau's avatar Julien Cristau Committed by Alan Coopersmith
Browse files

glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]



v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
Reviewed-by: Adam Jackson's avatarAdam Jackson <ajax@redhat.com>
Reviewed-by: default avatarMichal Srb <msrb@suse.com>
Reviewed-by: default avatarAndy Ritger <aritger@nvidia.com>
Signed-off-by: Julien Cristau's avatarJulien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
parent 2a5cbc17
...@@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) ...@@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
left = (req->length << 2) - sz_xGLXRenderReq; left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) { while (left > 0) {
__GLXrenderSizeData entry; __GLXrenderSizeData entry;
int extra; int extra = 0;
__GLXdispatchRenderProcPtr proc; __GLXdispatchRenderProcPtr proc;
int err; int err;
...@@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) ...@@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
cmdlen = hdr->length; cmdlen = hdr->length;
opcode = hdr->opcode; opcode = hdr->opcode;
if (left < cmdlen)
return BadLength;
/* /*
** Check for core opcodes and grab entry data. ** Check for core opcodes and grab entry data.
*/ */
...@@ -2057,6 +2060,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) ...@@ -2057,6 +2060,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadRenderRequest); return __glXError(GLXBadRenderRequest);
} }
if (cmdlen < entry.bytes) {
return BadLength;
}
if (entry.varsize) { if (entry.varsize) {
/* variable size command */ /* variable size command */
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
...@@ -2064,17 +2071,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) ...@@ -2064,17 +2071,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
if (extra < 0) { if (extra < 0) {
return BadLength; return BadLength;
} }
if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
return BadLength;
}
} }
else {
/* constant size command */ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
if (cmdlen != __GLX_PAD(entry.bytes)) {
return BadLength;
}
}
if (left < cmdlen) {
return BadLength; return BadLength;
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment